GMER 2.0.18454 - http://www.gmer.net Rootkit scan 2013-02-09 12:05:35 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3500418AS rev.CC38 465,76GB Running: rjf5zst3.exe; Driver: C:\Users\Janeczek\AppData\Local\Temp\pxddqfow.sys ---- User code sections - GMER 2.0 ---- .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 5 bytes JMP 0000000077cd0380 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 0000000077cd0370 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 0000000077cd0390 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 0000000077cd0320 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 0000000077cd02e0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 0000000077cd02d0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 0000000077cd0310 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 0000000077cd0230 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 0000000077cd03a0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 0000000077cd02f0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 0000000077cd0350 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 0000000077cd0290 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 0000000077cd02b0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 0000000077cd0330 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 0000000077cd0240 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 0000000077cd01e0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 0000000077cd0250 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 0000000077cd03b0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 0000000077cd03c0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 0000000077cd0300 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 0000000077cd0360 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 0000000077cd02a0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 0000000077cd02c0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 0000000077cd0340 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 0000000077cd0260 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 0000000077cd0270 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 0000000077cd01f0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 0000000077cd0210 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 0000000077cd0200 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 0000000077cd0220 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 0000000077cd0280 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 5 bytes JMP 0000000077cd0380 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 0000000077cd0370 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 0000000077cd0390 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 0000000077cd0320 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 0000000077cd02e0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 0000000077cd02d0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 0000000077cd0310 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 0000000077cd0230 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 0000000077cd03a0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 0000000077cd02f0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 0000000077cd0350 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 0000000077cd0290 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 0000000077cd02b0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 0000000077cd0330 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 0000000077cd0240 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 0000000077cd01e0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 0000000077cd0250 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 0000000077cd03b0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 0000000077cd03c0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 0000000077cd0300 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 0000000077cd0360 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 0000000077cd02a0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 0000000077cd02c0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 0000000077cd0340 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 0000000077cd0260 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 0000000077cd0270 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 0000000077cd01f0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 0000000077cd0210 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 0000000077cd0200 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 0000000077cd0220 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 0000000077cd0280 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010027075c .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001002703a4 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100270b14 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100270ecc .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100271284 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\wininit.exe[500] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010043075c .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001004303a4 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100430b14 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100430ecc .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100431284 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[536] C:\Windows\system32\USER32.dll!UnhookWinEvent 0000000077a28550 5 bytes JMP 000000010052075c .text C:\Windows\system32\winlogon.exe[536] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 0000000077a2d440 5 bytes JMP 0000000100521284 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000077a2f874 5 bytes JMP 0000000100520ecc .text C:\Windows\system32\winlogon.exe[536] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077a34d4c 5 bytes JMP 00000001005203a4 .text C:\Windows\system32\winlogon.exe[536] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077a48c20 5 bytes JMP 0000000100520b14 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010027075c .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001002703a4 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100270b14 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100270ecc .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100271284 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 00000001001d075c .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001001d03a4 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 00000001001d0b14 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 00000001001d0ecc .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 00000001001d1284 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\lsass.exe[604] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 00000001001a075c .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001001a03a4 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 00000001001a0b14 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 00000001001a0ecc .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 00000001001a1284 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010014075c .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001001403a4 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100140b14 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100140ecc .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100141284 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010016075c .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001001603a4 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100160b14 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100160ecc .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100161284 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010041075c .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001004103a4 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 5 bytes JMP 0000000077cd0380 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 0000000077cd0370 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100410b14 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100410ecc .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 0000000077cd0390 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 0000000077cd0320 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 0000000077cd02e0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 0000000077cd02d0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 0000000077cd0310 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100411284 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 0000000077cd0230 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 0000000077cd03a0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 0000000077cd02f0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 0000000077cd0350 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 0000000077cd0290 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 0000000077cd02b0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 0000000077cd0330 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 0000000077cd0240 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 0000000077cd01e0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 0000000077cd0250 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 0000000077cd03b0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 0000000077cd03c0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 0000000077cd0300 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 0000000077cd0360 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 0000000077cd02a0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 0000000077cd02c0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 0000000077cd0340 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 0000000077cd0260 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 0000000077cd0270 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 0000000077cd01f0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 0000000077cd0210 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 0000000077cd0200 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 0000000077cd0220 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 0000000077cd0280 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 00000001001c075c .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001001c03a4 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 00000001001c0b14 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 00000001001c0ecc .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 00000001001c1284 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\System32\svchost.exe[960] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010029075c .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001002903a4 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100290b14 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100290ecc .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100291284 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010025075c .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001002503a4 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100250b14 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100250ecc .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100251284 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 00000001001b075c .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001001b03a4 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 00000001001b0b14 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 00000001001b0ecc .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 00000001001b1284 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 00000001004b075c .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001004b03a4 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 5 bytes JMP 0000000077cd0380 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 0000000077cd0370 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 00000001004b0b14 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 00000001004b0ecc .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 0000000077cd0390 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 0000000077cd0320 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 0000000077cd02e0 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 0000000077cd02d0 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 0000000077cd0310 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 00000001004b1284 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 0000000077cd0230 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 0000000077cd03a0 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 0000000077cd02f0 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 0000000077cd0350 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 0000000077cd0290 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 0000000077cd02b0 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 0000000077cd0330 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 0000000077cd0240 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 0000000077cd01e0 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 0000000077cd0250 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 0000000077cd03b0 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 0000000077cd03c0 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 0000000077cd0300 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 0000000077cd0360 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 0000000077cd02a0 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 0000000077cd02c0 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 0000000077cd0340 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 0000000077cd0260 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 0000000077cd0270 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 0000000077cd01f0 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 0000000077cd0210 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 0000000077cd0200 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 0000000077cd0220 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 0000000077cd0280 .text C:\Windows\system32\atieclxx.exe[1108] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 00000001001d075c .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001001d03a4 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 00000001001d0b14 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 00000001001d0ecc .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 00000001001d1284 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010046075c .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001004603a4 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100460b14 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100460ecc .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100461284 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010038075c .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001003803a4 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100380b14 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100380ecc .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100381284 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 00000001001d075c .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001001d03a4 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 00000001001d0b14 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 00000001001d0ecc .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 00000001001d1284 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010019075c .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001001903a4 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100190b14 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100190ecc .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100191284 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010045075c .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001004503a4 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100450b14 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100450ecc .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100451284 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[1824] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 00000001003f075c .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001003f03a4 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 5 bytes JMP 0000000077cd0380 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 0000000077cd0370 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 00000001003f0b14 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 00000001003f0ecc .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 0000000077cd0390 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 0000000077cd0320 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 0000000077cd02e0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 0000000077cd02d0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 0000000077cd0310 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 00000001003f1284 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 0000000077cd0230 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 0000000077cd03a0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 0000000077cd02f0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 0000000077cd0350 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 0000000077cd0290 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 0000000077cd02b0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 0000000077cd0330 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 0000000077cd0240 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 0000000077cd01e0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 0000000077cd0250 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 0000000077cd03b0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 0000000077cd03c0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 0000000077cd0300 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 0000000077cd0360 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 0000000077cd02a0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 0000000077cd02c0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 0000000077cd0340 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 0000000077cd0260 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 0000000077cd0270 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 0000000077cd01f0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 0000000077cd0210 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 0000000077cd0200 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 0000000077cd0220 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 0000000077cd0280 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1848] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010044075c .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001004403a4 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100440b14 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100440ecc .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100441284 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\System32\svchost.exe[1936] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d1faa0 5 bytes JMP 0000000100080600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d1fb38 5 bytes JMP 0000000100080804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d20018 5 bytes JMP 0000000100080a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1980] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d3c45a 5 bytes JMP 00000001000801f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1980] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d41217 5 bytes JMP 00000001000803fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1980] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f0a30a 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1344] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d1faa0 5 bytes JMP 0000000100080600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1344] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d1fb38 5 bytes JMP 0000000100080804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1344] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d20018 5 bytes JMP 0000000100080a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1344] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d3c45a 5 bytes JMP 00000001000801f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1344] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d41217 5 bytes JMP 00000001000803fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1344] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f0a30a 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1344] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a45181 5 bytes JMP 0000000100131014 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1344] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a45254 5 bytes JMP 0000000100130804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1344] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a453d5 5 bytes JMP 0000000100130a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1344] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a454c2 5 bytes JMP 0000000100130c0c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1344] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a455e2 5 bytes JMP 0000000100130e10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1344] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a4567c 5 bytes JMP 00000001001301f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1344] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a4589f 5 bytes JMP 00000001001303fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1344] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a45a22 5 bytes JMP 0000000100130600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1344] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d9ee09 5 bytes JMP 00000001001901f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1344] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076da3982 5 bytes JMP 00000001001903fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1344] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076da7603 5 bytes JMP 0000000100190804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1344] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076da835c 5 bytes JMP 0000000100190600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1344] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dbf52b 5 bytes JMP 0000000100190a08 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d1faa0 5 bytes JMP 00000001001c0600 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d1fb38 5 bytes JMP 00000001001c0804 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1208] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d20018 5 bytes JMP 00000001001c0a08 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1208] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d3c45a 5 bytes JMP 00000001001c01f8 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1208] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d41217 5 bytes JMP 00000001001c03fc .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1208] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f0a30a 1 byte [62] .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 5 bytes JMP 0000000077cd0380 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 0000000077cd0370 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 0000000077cd0390 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 0000000077cd0320 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 0000000077cd02e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 0000000077cd02d0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 0000000077cd0310 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 0000000077cd0230 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x15e890} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 0000000077cd03a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 0000000077cd02f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 0000000077cd0350 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 0000000077cd0290 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 0000000077cd02b0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 0000000077cd0330 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x15e590} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 0000000077cd0240 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 0000000077cd01e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 0000000077cd0250 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x15e090} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 0000000077cd03b0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 0000000077cd03c0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 0000000077cd0300 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 0000000077cd0360 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 0000000077cd02a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 0000000077cd02c0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 0000000077cd0340 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 0000000077cd0260 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 0000000077cd0270 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 0000000077cd01f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 0000000077cd0210 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 0000000077cd0200 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 0000000077cd0220 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 0000000077cd0280 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1872] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1556] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d1faa0 5 bytes JMP 00000001001b0600 .text C:\Windows\SysWOW64\PnkBstrA.exe[1556] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d1fb38 5 bytes JMP 00000001001b0804 .text C:\Windows\SysWOW64\PnkBstrA.exe[1556] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d20018 5 bytes JMP 00000001001b0a08 .text C:\Windows\SysWOW64\PnkBstrA.exe[1556] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d3c45a 5 bytes JMP 00000001001b01f8 .text C:\Windows\SysWOW64\PnkBstrA.exe[1556] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d41217 5 bytes JMP 00000001001b03fc .text C:\Windows\SysWOW64\PnkBstrA.exe[1556] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f0a30a 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1556] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 0000000073c717fa 2 bytes [C7, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1556] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000073c71860 2 bytes [C7, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1556] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000073c71942 2 bytes [C7, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1556] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 0000000073c7194d 2 bytes [C7, 73] .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 00000001002d075c .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001002d03a4 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 00000001002d0b14 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 00000001002d0ecc .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 00000001002d1284 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010042075c .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001004203a4 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100420b14 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100420ecc .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100421284 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 00000001003a075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001003a03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 5 bytes JMP 0000000077cd0380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 0000000077cd0370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 00000001003a0b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 00000001003a0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 0000000077cd0390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 0000000077cd0320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 0000000077cd02e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 0000000077cd02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 0000000077cd0310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 00000001003a1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 0000000077cd0230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 0000000077cd03a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 0000000077cd02f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 0000000077cd0350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 0000000077cd0290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 0000000077cd02b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 0000000077cd0330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 0000000077cd0240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 0000000077cd01e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 0000000077cd0250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 0000000077cd03b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 0000000077cd03c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 0000000077cd0300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 0000000077cd0360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 0000000077cd02a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 0000000077cd02c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 0000000077cd0340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 0000000077cd0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 0000000077cd0270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 0000000077cd01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 0000000077cd0210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 0000000077cd0200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 0000000077cd0220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 0000000077cd0280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010024075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001002403a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 5 bytes JMP 0000000077cd0380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 0000000077cd0370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100240b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100240ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 0000000077cd0390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 0000000077cd0320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 0000000077cd02e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 0000000077cd02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 0000000077cd0310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100241284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 0000000077cd0230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 0000000077cd03a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 0000000077cd02f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 0000000077cd0350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 0000000077cd0290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 0000000077cd02b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 0000000077cd0330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 0000000077cd0240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 0000000077cd01e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 0000000077cd0250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 0000000077cd03b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 0000000077cd03c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 0000000077cd0300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 0000000077cd0360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 0000000077cd02a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 0000000077cd02c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 0000000077cd0340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 0000000077cd0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 0000000077cd0270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 0000000077cd01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 0000000077cd0210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 0000000077cd0200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 0000000077cd0220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 0000000077cd0280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010029075c .text C:\Windows\system32\SearchIndexer.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001002903a4 .text C:\Windows\system32\SearchIndexer.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100290b14 .text C:\Windows\system32\SearchIndexer.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100290ecc .text C:\Windows\system32\SearchIndexer.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100291284 .text C:\Windows\system32\SearchIndexer.exe[1884] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[1884] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\system32\SearchIndexer.exe[1884] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\system32\SearchIndexer.exe[1884] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\system32\SearchIndexer.exe[1884] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\system32\SearchIndexer.exe[1884] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\system32\SearchIndexer.exe[1884] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\system32\SearchIndexer.exe[1884] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\system32\SearchIndexer.exe[1884] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 00000001003a075c .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001003a03a4 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 00000001003a0b14 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 00000001003a0ecc .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 00000001003a1284 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\WUDFHost.exe[2952] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010032075c .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001003203a4 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100320b14 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100320ecc .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100321284 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\system32\SearchProtocolHost.exe[2780] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 00000001002d075c .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001002d03a4 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 00000001002d0b14 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 00000001002d0ecc .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 00000001002d1284 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\System32\svchost.exe[212] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010019075c .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001001903a4 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100190b14 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100190ecc .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100191284 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\system32\wbem\wmiprvse.exe[2656] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010013075c .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001001303a4 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100130b14 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100130ecc .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100131284 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[1584] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d1faa0 5 bytes JMP 0000000100080600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[1584] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d1fb38 5 bytes JMP 0000000100080804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[1584] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d20018 5 bytes JMP 0000000100080a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[1584] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d3c45a 5 bytes JMP 00000001000801f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[1584] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d41217 5 bytes JMP 00000001000803fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[1584] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f0a30a 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[1584] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d9ee09 5 bytes JMP 00000001000b01f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[1584] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076da3982 5 bytes JMP 00000001000b03fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[1584] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076da7603 5 bytes JMP 00000001000b0804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[1584] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076da835c 5 bytes JMP 00000001000b0600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[1584] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dbf52b 5 bytes JMP 00000001000b0a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[1584] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a45181 5 bytes JMP 0000000100b11014 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[1584] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a45254 5 bytes JMP 0000000100b10804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[1584] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a453d5 5 bytes JMP 0000000100b10a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[1584] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a454c2 5 bytes JMP 0000000100b10c0c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[1584] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a455e2 5 bytes JMP 0000000100b10e10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[1584] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a4567c 5 bytes JMP 0000000100b101f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[1584] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a4589f 5 bytes JMP 0000000100b103fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[1584] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a45a22 5 bytes JMP 0000000100b10600 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 00000001003a075c .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001003a03a4 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 00000001003a0b14 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 00000001003a0ecc .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 00000001003a1284 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\system32\Dwm.exe[3196] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 00000001001a075c .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001001a03a4 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 00000001001a0b14 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 00000001001a0ecc .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 00000001001a1284 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\Explorer.EXE[3316] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\Explorer.EXE[3316] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d1faa0 5 bytes JMP 00000001001c0600 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d1fb38 5 bytes JMP 00000001001c0804 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d20018 5 bytes JMP 00000001001c0a08 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2676] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d3c45a 5 bytes JMP 00000001001c01f8 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2676] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d41217 5 bytes JMP 00000001001c03fc .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2676] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f0a30a 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2676] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d9ee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2676] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076da3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2676] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076da7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2676] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076da835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2676] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dbf52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2676] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a45181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a45254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a453d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a454c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a455e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2676] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a4567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2676] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a4589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2676] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a45a22 5 bytes JMP 0000000100250600 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010047075c .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001004703a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100470b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100470ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100471284 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Program Files\Windows Sidebar\sidebar.exe[2792] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3676] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d1faa0 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3676] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d1fb38 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3676] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d20018 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3676] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d3c45a 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3676] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d41217 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3676] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f0a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3676] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a45181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a45254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a453d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a454c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a455e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3676] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a4567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3676] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a4589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3676] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a45a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3676] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d9ee09 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3676] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076da3982 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3676] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076da7603 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3676] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076da835c 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3676] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dbf52b 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 000000010023075c .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001002303a4 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 0000000100230b14 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 0000000100230ecc .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 0000000100231284 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3744] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3744] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3744] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3744] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3744] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\MOM.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 5 bytes JMP 0000000077cd0380 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 0000000077cd0370 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 0000000077cd0390 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 0000000077cd0320 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 0000000077cd02e0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 0000000077cd02d0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 0000000077cd0310 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 0000000077cd0230 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x15e890} .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 0000000077cd03a0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 0000000077cd02f0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 0000000077cd0350 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 0000000077cd0290 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 0000000077cd02b0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 0000000077cd0330 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x15e590} .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 0000000077cd0240 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 0000000077cd01e0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 0000000077cd0250 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x15e090} .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 0000000077cd03b0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 0000000077cd03c0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 0000000077cd0300 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 0000000077cd0360 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 0000000077cd02a0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 0000000077cd02c0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 0000000077cd0340 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 0000000077cd0260 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 0000000077cd0270 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 0000000077cd01f0 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 0000000077cd0210 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 0000000077cd0200 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 0000000077cd0220 .text C:\SystemoWe Nie Ruszaæ!\ATI.ACE\Core-Static\CCC.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 0000000077cd0280 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 00000001001a075c .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001001a03a4 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 00000001001a0b14 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 00000001001a0ecc .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 00000001001a1284 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d1faa0 5 bytes JMP 00000001000c0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d1fb38 5 bytes JMP 00000001000c0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d20018 5 bytes JMP 00000001000c0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d3c45a 5 bytes JMP 00000001000c01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d41217 5 bytes JMP 00000001000c03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f0a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d9ee09 5 bytes JMP 00000001001c01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076da3982 5 bytes JMP 00000001001c03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076da7603 5 bytes JMP 00000001001c0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076da835c 5 bytes JMP 00000001001c0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dbf52b 5 bytes JMP 00000001001c0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a45181 5 bytes JMP 00000001001d1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a45254 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a453d5 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a454c2 5 bytes JMP 00000001001d0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a455e2 5 bytes JMP 00000001001d0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a4567c 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a4589f 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a45a22 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077cd1401 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077cd1419 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077cd1431 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077cd144a 2 bytes [CD, 77] .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077cd14dd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077cd14f5 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077cd150d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077cd1525 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077cd153d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077cd1555 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077cd156d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077cd1585 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077cd159d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077cd15b5 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077cd15cd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077cd16b2 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077cd16bd 2 bytes [CD, 77] ? C:\Windows\system32\mssprxy.dll [4040] entry point in ".rdata" section 000000006a4371e6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077d1f991 7 bytes {MOV EDX, 0x1059a28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d1faa0 5 bytes JMP 0000000101060600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d1fb38 5 bytes JMP 0000000101060804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077d1fbd5 7 bytes {MOV EDX, 0x1059a68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077d1fc05 7 bytes {MOV EDX, 0x10599a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077d1fc1d 7 bytes {MOV EDX, 0x1059928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077d1fc35 7 bytes {MOV EDX, 0x1059b28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077d1fc65 7 bytes {MOV EDX, 0x1059b68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077d1fce5 7 bytes {MOV EDX, 0x1059ae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077d1fcfd 7 bytes {MOV EDX, 0x1059aa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077d1fd49 7 bytes {MOV EDX, 0x1059868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077d1fe41 7 bytes {MOV EDX, 0x10598a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d20018 5 bytes JMP 0000000101060a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077d20099 7 bytes {MOV EDX, 0x1059828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077d210a5 7 bytes {MOV EDX, 0x10599e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077d2111d 7 bytes {MOV EDX, 0x1059968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077d21321 7 bytes {MOV EDX, 0x10598e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d3c45a 5 bytes JMP 00000001010601f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d41217 5 bytes JMP 00000001010603fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f0a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d9ee09 5 bytes JMP 00000001011201f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076da3982 5 bytes JMP 00000001011203fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076da7603 5 bytes JMP 0000000101120804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076da835c 5 bytes JMP 0000000101120600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dbf52b 5 bytes JMP 0000000101120a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a45181 5 bytes JMP 00000001011b1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a45254 5 bytes JMP 00000001011b0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a453d5 5 bytes JMP 00000001011b0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a454c2 5 bytes JMP 00000001011b0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a455e2 5 bytes JMP 00000001011b0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a4567c 5 bytes JMP 00000001011b01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a4589f 5 bytes JMP 00000001011b03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a45a22 5 bytes JMP 00000001011b0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077cd1401 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077cd1419 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077cd1431 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077cd144a 2 bytes [CD, 77] .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077cd14dd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077cd14f5 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077cd150d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077cd1525 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077cd153d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077cd1555 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077cd156d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077cd1585 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077cd159d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077cd15b5 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077cd15cd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077cd16b2 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077cd16bd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077d1f991 7 bytes {MOV EDX, 0xa5ca28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d1faa0 5 bytes JMP 0000000100a70600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d1fb38 5 bytes JMP 0000000100a70804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077d1fbd5 7 bytes {MOV EDX, 0xa5ca68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077d1fc05 7 bytes {MOV EDX, 0xa5c9a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077d1fc1d 7 bytes {MOV EDX, 0xa5c928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077d1fc35 7 bytes {MOV EDX, 0xa5cb28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077d1fc65 7 bytes {MOV EDX, 0xa5cb68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077d1fce5 7 bytes {MOV EDX, 0xa5cae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077d1fcfd 7 bytes {MOV EDX, 0xa5caa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077d1fd49 7 bytes {MOV EDX, 0xa5c868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077d1fe41 7 bytes {MOV EDX, 0xa5c8a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d20018 5 bytes JMP 0000000100a70a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077d20099 7 bytes {MOV EDX, 0xa5c828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077d210a5 7 bytes {MOV EDX, 0xa5c9e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077d2111d 7 bytes {MOV EDX, 0xa5c968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077d21321 7 bytes {MOV EDX, 0xa5c8e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d3c45a 5 bytes JMP 0000000100a701f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d41217 5 bytes JMP 0000000100a703fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f0a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d9ee09 5 bytes JMP 0000000100b301f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076da3982 5 bytes JMP 0000000100b303fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076da7603 5 bytes JMP 0000000100b30804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076da835c 5 bytes JMP 0000000100b30600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dbf52b 5 bytes JMP 0000000100b30a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a45181 5 bytes JMP 0000000100b41014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a45254 5 bytes JMP 0000000100b40804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a453d5 5 bytes JMP 0000000100b40a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a454c2 5 bytes JMP 0000000100b40c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a455e2 5 bytes JMP 0000000100b40e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a4567c 5 bytes JMP 0000000100b401f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a4589f 5 bytes JMP 0000000100b403fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a45a22 5 bytes JMP 0000000100b40600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077cd1401 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077cd1419 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077cd1431 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077cd144a 2 bytes [CD, 77] .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077cd14dd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077cd14f5 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077cd150d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077cd1525 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077cd153d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077cd1555 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077cd156d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077cd1585 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077cd159d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077cd15b5 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077cd15cd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077cd16b2 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077cd16bd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077d1f991 7 bytes {MOV EDX, 0x329228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d1faa0 5 bytes JMP 0000000100340600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d1fb38 5 bytes JMP 0000000100340804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077d1fbd5 7 bytes {MOV EDX, 0x329268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077d1fc05 7 bytes {MOV EDX, 0x3291a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077d1fc1d 7 bytes {MOV EDX, 0x329128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077d1fc35 7 bytes {MOV EDX, 0x329328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077d1fc65 7 bytes {MOV EDX, 0x329368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077d1fce5 7 bytes {MOV EDX, 0x3292e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077d1fcfd 7 bytes {MOV EDX, 0x3292a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077d1fd49 7 bytes {MOV EDX, 0x329068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077d1fe41 7 bytes {MOV EDX, 0x3290a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d20018 5 bytes JMP 0000000100340a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077d20099 7 bytes {MOV EDX, 0x329028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077d210a5 7 bytes {MOV EDX, 0x3291e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077d2111d 7 bytes {MOV EDX, 0x329168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077d21321 7 bytes {MOV EDX, 0x3290e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d3c45a 5 bytes JMP 00000001003401f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d41217 5 bytes JMP 00000001003403fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f0a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d9ee09 5 bytes JMP 00000001003901f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076da3982 5 bytes JMP 00000001003903fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076da7603 5 bytes JMP 0000000100390804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076da835c 5 bytes JMP 0000000100390600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dbf52b 5 bytes JMP 0000000100390a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a45181 5 bytes JMP 00000001003a1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a45254 5 bytes JMP 00000001003a0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a453d5 5 bytes JMP 00000001003a0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a454c2 5 bytes JMP 00000001003a0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a455e2 5 bytes JMP 00000001003a0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a4567c 5 bytes JMP 00000001003a01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a4589f 5 bytes JMP 00000001003a03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a45a22 5 bytes JMP 00000001003a0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077cd1401 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077cd1419 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077cd1431 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077cd144a 2 bytes [CD, 77] .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077cd14dd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077cd14f5 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077cd150d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077cd1525 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077cd153d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077cd1555 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077cd156d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077cd1585 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077cd159d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077cd15b5 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077cd15cd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077cd16b2 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077cd16bd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077d1f991 7 bytes {MOV EDX, 0xeede28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d1faa0 5 bytes JMP 0000000101040600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d1fb38 5 bytes JMP 0000000101040804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077d1fbd5 7 bytes {MOV EDX, 0xeede68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077d1fc05 7 bytes {MOV EDX, 0xeedda8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077d1fc1d 7 bytes {MOV EDX, 0xeedd28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077d1fc35 7 bytes {MOV EDX, 0xeedf28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077d1fc65 7 bytes {MOV EDX, 0xeedf68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077d1fce5 7 bytes {MOV EDX, 0xeedee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077d1fcfd 7 bytes {MOV EDX, 0xeedea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077d1fd49 7 bytes {MOV EDX, 0xeedc68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077d1fe41 7 bytes {MOV EDX, 0xeedca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d20018 5 bytes JMP 0000000101040a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077d20099 7 bytes {MOV EDX, 0xeedc28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077d210a5 7 bytes {MOV EDX, 0xeedde8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077d2111d 7 bytes {MOV EDX, 0xeedd68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077d21321 7 bytes {MOV EDX, 0xeedce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d3c45a 5 bytes JMP 00000001010401f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d41217 5 bytes JMP 00000001010403fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f0a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d9ee09 5 bytes JMP 00000001011401f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076da3982 5 bytes JMP 00000001011403fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076da7603 5 bytes JMP 0000000101140804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076da835c 5 bytes JMP 0000000101140600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dbf52b 5 bytes JMP 0000000101140a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a45181 5 bytes JMP 00000001011d1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a45254 5 bytes JMP 00000001011d0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a453d5 5 bytes JMP 00000001011d0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a454c2 5 bytes JMP 00000001011d0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a455e2 5 bytes JMP 00000001011d0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a4567c 5 bytes JMP 00000001011d01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a4589f 5 bytes JMP 00000001011d03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a45a22 5 bytes JMP 00000001011d0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077cd1401 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077cd1419 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077cd1431 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077cd144a 2 bytes [CD, 77] .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077cd14dd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077cd14f5 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077cd150d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077cd1525 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077cd153d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077cd1555 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077cd156d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077cd1585 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077cd159d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077cd15b5 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077cd15cd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077cd16b2 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4344] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077cd16bd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077d1f991 7 bytes {MOV EDX, 0x950628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d1faa0 5 bytes JMP 0000000100970600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d1fb38 5 bytes JMP 0000000100970804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077d1fbd5 7 bytes {MOV EDX, 0x950668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077d1fc05 7 bytes {MOV EDX, 0x9505a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077d1fc1d 7 bytes {MOV EDX, 0x950528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077d1fc35 7 bytes {MOV EDX, 0x950728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077d1fc65 7 bytes {MOV EDX, 0x950768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077d1fce5 7 bytes {MOV EDX, 0x9506e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077d1fcfd 7 bytes {MOV EDX, 0x9506a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077d1fd49 7 bytes {MOV EDX, 0x950468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077d1fe41 7 bytes {MOV EDX, 0x9504a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d20018 5 bytes JMP 0000000100970a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077d20099 7 bytes {MOV EDX, 0x950428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077d210a5 7 bytes {MOV EDX, 0x9505e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077d2111d 7 bytes {MOV EDX, 0x950568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077d21321 7 bytes {MOV EDX, 0x9504e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d3c45a 5 bytes JMP 00000001009701f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d41217 5 bytes JMP 00000001009703fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f0a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d9ee09 5 bytes JMP 0000000100ab01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076da3982 5 bytes JMP 0000000100ab03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076da7603 5 bytes JMP 0000000100ab0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076da835c 5 bytes JMP 0000000100ab0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dbf52b 5 bytes JMP 0000000100ab0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a45181 5 bytes JMP 0000000100ac1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a45254 5 bytes JMP 0000000100ac0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a453d5 5 bytes JMP 0000000100ac0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a454c2 5 bytes JMP 0000000100ac0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a455e2 5 bytes JMP 0000000100ac0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a4567c 5 bytes JMP 0000000100ac01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a4589f 5 bytes JMP 0000000100ac03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a45a22 5 bytes JMP 0000000100ac0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077cd1401 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077cd1419 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077cd1431 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077cd144a 2 bytes [CD, 77] .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077cd14dd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077cd14f5 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077cd150d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077cd1525 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077cd153d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077cd1555 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077cd156d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077cd1585 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077cd159d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077cd15b5 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077cd15cd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077cd16b2 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077cd16bd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077d1f991 7 bytes {MOV EDX, 0x43ce28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d1faa0 5 bytes JMP 0000000100450600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d1fb38 5 bytes JMP 0000000100450804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077d1fbd5 7 bytes {MOV EDX, 0x43ce68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077d1fc05 7 bytes {MOV EDX, 0x43cda8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077d1fc1d 7 bytes {MOV EDX, 0x43cd28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077d1fc35 7 bytes {MOV EDX, 0x43cf28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077d1fc65 7 bytes {MOV EDX, 0x43cf68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077d1fce5 7 bytes {MOV EDX, 0x43cee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077d1fcfd 7 bytes {MOV EDX, 0x43cea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077d1fd49 7 bytes {MOV EDX, 0x43cc68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077d1fe41 7 bytes {MOV EDX, 0x43cca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d20018 5 bytes JMP 0000000100450a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077d20099 7 bytes {MOV EDX, 0x43cc28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077d210a5 7 bytes {MOV EDX, 0x43cde8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077d2111d 7 bytes {MOV EDX, 0x43cd68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077d21321 7 bytes {MOV EDX, 0x43cce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d3c45a 5 bytes JMP 00000001004501f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d41217 5 bytes JMP 00000001004503fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f0a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d9ee09 5 bytes JMP 00000001005901f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076da3982 5 bytes JMP 00000001005903fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076da7603 5 bytes JMP 0000000100590804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076da835c 5 bytes JMP 0000000100590600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dbf52b 5 bytes JMP 0000000100590a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a45181 5 bytes JMP 00000001005a1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a45254 5 bytes JMP 00000001005a0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a453d5 5 bytes JMP 00000001005a0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a454c2 5 bytes JMP 00000001005a0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a455e2 5 bytes JMP 00000001005a0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a4567c 5 bytes JMP 00000001005a01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a4589f 5 bytes JMP 00000001005a03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a45a22 5 bytes JMP 00000001005a0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077cd1401 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077cd1419 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077cd1431 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077cd144a 2 bytes [CD, 77] .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077cd14dd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077cd14f5 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077cd150d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077cd1525 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077cd153d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077cd1555 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077cd156d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077cd1585 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077cd159d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077cd15b5 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077cd15cd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077cd16b2 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4532] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077cd16bd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077d1f991 7 bytes {MOV EDX, 0x139628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d1faa0 5 bytes JMP 0000000100150600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d1fb38 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077d1fbd5 7 bytes {MOV EDX, 0x139668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077d1fc05 7 bytes {MOV EDX, 0x1395a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077d1fc1d 7 bytes {MOV EDX, 0x139528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077d1fc35 7 bytes {MOV EDX, 0x139728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077d1fc65 7 bytes {MOV EDX, 0x139768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077d1fce5 7 bytes {MOV EDX, 0x1396e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077d1fcfd 7 bytes {MOV EDX, 0x1396a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077d1fd49 7 bytes {MOV EDX, 0x139468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077d1fe41 7 bytes {MOV EDX, 0x1394a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d20018 5 bytes JMP 0000000100150a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077d20099 7 bytes {MOV EDX, 0x139428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077d210a5 7 bytes {MOV EDX, 0x1395e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077d2111d 7 bytes {MOV EDX, 0x139568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077d21321 7 bytes {MOV EDX, 0x1394e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d3c45a 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d41217 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f0a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d9ee09 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076da3982 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076da7603 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076da835c 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dbf52b 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a45181 5 bytes JMP 0000000100271014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a45254 5 bytes JMP 0000000100270804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a453d5 5 bytes JMP 0000000100270a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a454c2 5 bytes JMP 0000000100270c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a455e2 5 bytes JMP 0000000100270e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a4567c 5 bytes JMP 00000001002701f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a4589f 5 bytes JMP 00000001002703fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a45a22 5 bytes JMP 0000000100270600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077cd1401 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077cd1419 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077cd1431 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077cd144a 2 bytes [CD, 77] .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077cd14dd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077cd14f5 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077cd150d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077cd1525 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077cd153d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077cd1555 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077cd156d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077cd1585 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077cd159d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077cd15b5 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077cd15cd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077cd16b2 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077cd16bd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077d1f991 7 bytes {MOV EDX, 0x2c5228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d1faa0 5 bytes JMP 00000001002d0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d1fb38 5 bytes JMP 00000001002d0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077d1fbd5 7 bytes {MOV EDX, 0x2c5268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077d1fc05 7 bytes {MOV EDX, 0x2c51a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077d1fc1d 7 bytes {MOV EDX, 0x2c5128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077d1fc35 7 bytes {MOV EDX, 0x2c5328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077d1fc65 7 bytes {MOV EDX, 0x2c5368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077d1fce5 7 bytes {MOV EDX, 0x2c52e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077d1fcfd 7 bytes {MOV EDX, 0x2c52a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077d1fd49 7 bytes {MOV EDX, 0x2c5068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077d1fe41 7 bytes {MOV EDX, 0x2c50a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d20018 5 bytes JMP 00000001002d0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077d20099 7 bytes {MOV EDX, 0x2c5028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077d210a5 7 bytes {MOV EDX, 0x2c51e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077d2111d 7 bytes {MOV EDX, 0x2c5168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077d21321 7 bytes {MOV EDX, 0x2c50e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d3c45a 5 bytes JMP 00000001002d01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d41217 5 bytes JMP 00000001002d03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f0a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d9ee09 5 bytes JMP 00000001004901f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076da3982 5 bytes JMP 00000001004903fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076da7603 5 bytes JMP 0000000100490804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076da835c 5 bytes JMP 0000000100490600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dbf52b 5 bytes JMP 0000000100490a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a45181 5 bytes JMP 00000001004a1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a45254 5 bytes JMP 00000001004a0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a453d5 5 bytes JMP 00000001004a0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a454c2 5 bytes JMP 00000001004a0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a455e2 5 bytes JMP 00000001004a0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a4567c 5 bytes JMP 00000001004a01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a4589f 5 bytes JMP 00000001004a03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a45a22 5 bytes JMP 00000001004a0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077cd1401 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077cd1419 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077cd1431 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077cd144a 2 bytes [CD, 77] .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077cd14dd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077cd14f5 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077cd150d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077cd1525 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077cd153d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077cd1555 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077cd156d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077cd1585 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077cd159d 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077cd15b5 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077cd15cd 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077cd16b2 2 bytes [CD, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4112] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077cd16bd 2 bytes [CD, 77] .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b43ae0 5 bytes JMP 00000001003a075c .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b47a90 5 bytes JMP 00000001003a03a4 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b71490 5 bytes JMP 00000001003a0b14 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b714f0 5 bytes JMP 00000001003a0ecc .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b71810 5 bytes JMP 00000001003a1284 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8c6e00 5 bytes JMP 000007ff7f8e1dac .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8c6f2c 5 bytes JMP 000007ff7f8e0ecc .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8c7220 5 bytes JMP 000007ff7f8e1284 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8c739c 5 bytes JMP 000007ff7f8e163c .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8c7538 5 bytes JMP 000007ff7f8e19f4 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8c75e8 5 bytes JMP 000007ff7f8e03a4 .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8c790c 5 bytes JMP 000007ff7f8e075c .text C:\Windows\system32\svchost.exe[2448] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8c7ab4 5 bytes JMP 000007ff7f8e0b14 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b713c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b71410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b715c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b71680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b71710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b71790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b717b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b719a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b719a2 3 bytes {JMP 0x847e890} .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b71b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b71c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b71c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b71ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b71d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b71da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b71da2 3 bytes {JMP 0x847e590} .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b71e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b72100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b721c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b721c2 3 bytes {JMP 0x847e090} .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b721f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b72200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b72230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b72240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b722a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b722f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b72330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b72820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b72830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b72a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b72a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b72a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b72b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b72be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\AUDIODG.EXE[3640] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 00000000777feecd 1 byte [62] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[4980] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d1faa0 5 bytes JMP 00000001001c0600 .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[4980] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d1fb38 5 bytes JMP 00000001001c0804 .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[4980] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d20018 5 bytes JMP 00000001001c0a08 .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[4980] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d3c45a 5 bytes JMP 00000001001c01f8 .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[4980] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d41217 5 bytes JMP 00000001001c03fc .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[4980] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f0a30a 1 byte [62] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[4980] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d9ee09 5 bytes JMP 00000001002001f8 .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[4980] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076da3982 5 bytes JMP 00000001002003fc .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[4980] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076da7603 5 bytes JMP 0000000100200804 .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[4980] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076da835c 5 bytes JMP 0000000100200600 .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[4980] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dbf52b 5 bytes JMP 0000000100200a08 ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fefa33741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fefa335f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fefa335674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fefa335e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fefa337f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fefa336a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fefa336ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fefa337b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fefa337ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fefa3378b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fefa334fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fefa335d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2144] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fefa337584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.0 ---- Thread C:\Windows\system32\svchost.exe [800:2400] 000007fef36e0ea8 Thread C:\Windows\system32\svchost.exe [800:2388] 000007fef36d9db0 Thread C:\Windows\system32\svchost.exe [800:2668] 000007fef36daa10 Thread C:\Windows\system32\svchost.exe [800:2712] 000007fef36e1c94 Thread C:\Windows\system32\svchost.exe [800:428] 000007fef396d3c8 Thread C:\Windows\system32\svchost.exe [800:3192] 000007fef396d3c8 Thread C:\Windows\system32\svchost.exe [800:952] 000007fef396d3c8 Thread C:\Windows\system32\svchost.exe [800:632] 000007fef396d3c8 Thread C:\Windows\system32\svchost.exe [1124:1588] 000007fef47bbec4 Thread C:\Windows\system32\svchost.exe [1124:884] 000007fef2b05170 Thread C:\Windows\system32\svchost.exe [1124:2096] 000007fef4485124 Thread C:\Windows\system32\svchost.exe [1824:2012] 000007fefabc6b40 Thread C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [1872:2756] 000007fef3872e60 Thread C:\Windows\system32\svchost.exe [2120:2612] 000007fefabc6b40 Thread C:\Windows\system32\WUDFHost.exe [2952:2600] 000007fef26b24a0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [820:2064] 000007fefc4c2a7c ---- EOF - GMER 2.0 ----