GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-03-05 19:30:15 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST932032 rev.0002 298,09GB Running: 3c791m00.exe; Driver: C:\Users\Start\AppData\Local\Temp\kwddykoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 000000014a030470 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 000000014a030460 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 000000014a030370 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 000000014a030480 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 000000014a0303e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 000000014a030320 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 000000014a0303b0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 000000014a030390 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 000000014a0302e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 000000014a030440 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 000000014a0302d0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 000000014a030310 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 000000014a0303c0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 000000014a0303f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 000000014a030230 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0xffffffffd25ae890} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 000000014a030490 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 000000014a0303a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 000000014a0302f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 000000014a030350 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 000000014a030290 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 000000014a0302b0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 000000014a0303d0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 000000014a030330 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0xffffffffd25ae590} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 000000014a030410 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 000000014a030240 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 000000014a0301e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 000000014a030250 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0xffffffffd25ae090} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 000000014a0304a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 000000014a0304b0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 000000014a030300 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 000000014a030360 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 000000014a0302a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 000000014a0302c0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 000000014a030380 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 000000014a030340 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 000000014a030450 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 000000014a030260 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 000000014a030270 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 000000014a030400 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 000000014a0301f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 000000014a030210 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 000000014a030200 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 000000014a030420 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 000000014a030430 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 000000014a030220 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 000000014a030280 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 0000000077be03e0 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 0000000077be0400 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0xffffffff8869e890} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0xffffffff8869e590} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0xffffffff8869e090} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 00000001001204a0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 00000001001204b0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 0000000077be03e0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 0000000077be0400 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\system32\services.exe[576] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 0000000077be03e0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 0000000077be0400 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 0000000077be03e0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 0000000077be0400 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 0000000077be03e0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 0000000077be0400 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\system32\svchost.exe[700] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[776] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 0000000077be03e0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 0000000077be0400 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 0000000077be03e0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 0000000077be0400 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\System32\svchost.exe[876] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0xffffffff885ee890} .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0xffffffff885ee590} .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0xffffffff885ee090} .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 00000001000704b0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[908] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 0000000077be03e0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 0000000077be0400 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\system32\svchost.exe[936] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 0000000077be03e0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 0000000077be0400 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\system32\svchost.exe[444] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 0000000077be03e0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 0000000077be0400 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\system32\svchost.exe[932] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 0000000077be03e0 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 0000000077be0400 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\system32\winlogon.exe[1072] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 0000000077be03e0 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 0000000077be0400 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\FBAgent.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1140] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1224] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 0000000077be03e0 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 0000000077be0400 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 0000000077be03e0 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 0000000077be0400 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 0000000077be03e0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 0000000077be0400 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001000b01f8 .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001000b03fc .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 3 bytes JMP 00000001000b0804 .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW + 4 00000000757f7607 1 byte [8A] .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 3 bytes JMP 00000001000b0600 .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA + 4 00000000757f8360 1 byte [8A] .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 00000001000b0a08 .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ce1465 2 bytes [CE, 75] .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ce14bb 2 bytes [CE, 75] .text ... * 2 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1952] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 0000000100110a08 .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100030e10 .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001001e01f8 .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001001e03fc .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 5 bytes JMP 00000001001e0804 .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 5 bytes JMP 00000001001e0600 .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 00000001001e0a08 .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 0000000100281014 .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 0000000100280804 .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 0000000100280a08 .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 0000000100280c0c .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 0000000100280e10 .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001002801f8 .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001002803fc .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 0000000100280600 .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ce1465 2 bytes [CE, 75] .text C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ce14bb 2 bytes [CE, 75] .text ... * 2 .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100030e10 .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 00000001000a1014 .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 00000001000a0804 .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 00000001000a0a08 .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 00000001000a0c0c .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 00000001000a0e10 .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001000a01f8 .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001000a03fc .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 00000001000a0600 .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001001801f8 .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001001803fc .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 5 bytes JMP 0000000100180804 .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 5 bytes JMP 0000000100180600 .text C:\Windows\SysWOW64\svchost.exe[2100] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 0000000100180a08 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 5 bytes JMP 000007ff7fab1dac .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 5 bytes JMP 000007ff7fab0ecc .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 5 bytes JMP 000007ff7fab1284 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 5 bytes JMP 000007ff7fab163c .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 5 bytes JMP 000007ff7fab19f4 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 5 bytes JMP 000007ff7fab03a4 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 5 bytes JMP 000007ff7fab075c .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 5 bytes JMP 000007ff7fab0b14 .text C:\Windows\System32\svchost.exe[2200] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 5 bytes JMP 000007ff7fab1dac .text C:\Windows\System32\svchost.exe[2200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 5 bytes JMP 000007ff7fab0ecc .text C:\Windows\System32\svchost.exe[2200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 5 bytes JMP 000007ff7fab1284 .text C:\Windows\System32\svchost.exe[2200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 5 bytes JMP 000007ff7fab163c .text C:\Windows\System32\svchost.exe[2200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 5 bytes JMP 000007ff7fab19f4 .text C:\Windows\System32\svchost.exe[2200] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 5 bytes JMP 000007ff7fab03a4 .text C:\Windows\System32\svchost.exe[2200] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 5 bytes JMP 000007ff7fab075c .text C:\Windows\System32\svchost.exe[2200] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 5 bytes JMP 000007ff7fab0b14 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 5 bytes JMP 000007ff7fab1dac .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 5 bytes JMP 000007ff7fab0ecc .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 5 bytes JMP 000007ff7fab1284 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 5 bytes JMP 000007ff7fab163c .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 5 bytes JMP 000007ff7fab19f4 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 5 bytes JMP 000007ff7fab03a4 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 5 bytes JMP 000007ff7fab075c .text C:\Windows\system32\svchost.exe[2252] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 5 bytes JMP 000007ff7fab0b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a53ae0 5 bytes JMP 000000010014075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a57a90 5 bytes JMP 00000001001403a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000100070470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000100070460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a81490 5 bytes JMP 0000000100140b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a814f0 5 bytes JMP 0000000100140ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000100070370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000100070480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 000000010014163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000100070320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 00000001000703b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000100070390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 00000001000702e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000100070440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 00000001000702d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000100070310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 00000001000703c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a81810 5 bytes JMP 0000000100141284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 00000001000703f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000100070230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0xffffffff885ee890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000100070490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 00000001000703a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 00000001000702f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000100070350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000100070290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 00000001000702b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 00000001000703d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000100070330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0xffffffff885ee590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000100070410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000100070240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 00000001000701e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000100070250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0xffffffff885ee090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 00000001000704a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 00000001000704b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000100070300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000100070360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 00000001000702a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 00000001000702c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000100070380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000100070340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000100070450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000100070260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000100070270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 00000001001419f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 00000001000701f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000100070210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000100070200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000100070420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000100070430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000100070220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000100070280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 5 bytes JMP 000007ff7fab1dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 5 bytes JMP 000007ff7fab0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 5 bytes JMP 000007ff7fab1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 5 bytes JMP 000007ff7fab163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 5 bytes JMP 000007ff7fab19f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 5 bytes JMP 000007ff7fab03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 5 bytes JMP 000007ff7fab075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2332] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 5 bytes JMP 000007ff7fab0b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2588] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 5 bytes JMP 000007ff7fab1dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2588] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 5 bytes JMP 000007ff7fab0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2588] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 5 bytes JMP 000007ff7fab1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2588] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 5 bytes JMP 000007ff7fab163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2588] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 5 bytes JMP 000007ff7fab19f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2588] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 5 bytes JMP 000007ff7fab03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2588] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 5 bytes JMP 000007ff7fab075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2588] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 5 bytes JMP 000007ff7fab0b14 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a53ae0 5 bytes JMP 00000001000a075c .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a57a90 5 bytes JMP 00000001000a03a4 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a81490 5 bytes JMP 00000001000a0b14 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a814f0 5 bytes JMP 00000001000a0ecc .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 00000001000a163c .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a81810 5 bytes JMP 00000001000a1284 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 00000001000a19f4 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 5 bytes JMP 000007ff7fab1dac .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 5 bytes JMP 000007ff7fab0ecc .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 5 bytes JMP 000007ff7fab1284 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 5 bytes JMP 000007ff7fab163c .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 5 bytes JMP 000007ff7fab19f4 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 5 bytes JMP 000007ff7fab03a4 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 5 bytes JMP 000007ff7fab075c .text C:\Windows\system32\svchost.exe[2672] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 5 bytes JMP 000007ff7fab0b14 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a53ae0 5 bytes JMP 000000010032075c .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a57a90 5 bytes JMP 00000001003203a4 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a81490 5 bytes JMP 0000000100320b14 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a814f0 5 bytes JMP 0000000100320ecc .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 000000010032163c .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a81810 5 bytes JMP 0000000100321284 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 00000001003219f4 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 5 bytes JMP 000007ff7fab1dac .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 5 bytes JMP 000007ff7fab0ecc .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 5 bytes JMP 000007ff7fab1284 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 5 bytes JMP 000007ff7fab163c .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 5 bytes JMP 000007ff7fab19f4 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 5 bytes JMP 000007ff7fab03a4 .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 5 bytes JMP 000007ff7fab075c .text C:\Windows\system32\svchost.exe[2820] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 5 bytes JMP 000007ff7fab0b14 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a53ae0 5 bytes JMP 000000010037075c .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a57a90 5 bytes JMP 00000001003703a4 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a81490 5 bytes JMP 0000000100370b14 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a814f0 5 bytes JMP 0000000100370ecc .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 000000010037163c .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a81810 5 bytes JMP 0000000100371284 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 00000001003719f4 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 5 bytes JMP 000007ff7fab1dac .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 5 bytes JMP 000007ff7fab0ecc .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 5 bytes JMP 000007ff7fab1284 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 5 bytes JMP 000007ff7fab163c .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 5 bytes JMP 000007ff7fab19f4 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 5 bytes JMP 000007ff7fab03a4 .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 5 bytes JMP 000007ff7fab075c .text C:\Windows\system32\taskhost.exe[3608] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 5 bytes JMP 000007ff7fab0b14 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a53ae0 5 bytes JMP 000000010026075c .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a57a90 5 bytes JMP 00000001002603a4 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a81490 5 bytes JMP 0000000100260b14 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a814f0 5 bytes JMP 0000000100260ecc .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 000000010026163c .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a81810 5 bytes JMP 0000000100261284 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 00000001002619f4 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 5 bytes JMP 000007ff7fab1dac .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 5 bytes JMP 000007ff7fab0ecc .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 5 bytes JMP 000007ff7fab1284 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 5 bytes JMP 000007ff7fab163c .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 5 bytes JMP 000007ff7fab19f4 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 5 bytes JMP 000007ff7fab03a4 .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 5 bytes JMP 000007ff7fab075c .text C:\Windows\system32\taskeng.exe[3640] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 5 bytes JMP 000007ff7fab0b14 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a53ae0 5 bytes JMP 000000010019075c .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a57a90 5 bytes JMP 00000001001903a4 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a81490 5 bytes JMP 0000000100190b14 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a814f0 5 bytes JMP 0000000100190ecc .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 000000010019163c .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a81810 5 bytes JMP 0000000100191284 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 00000001001919f4 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 5 bytes JMP 000007ff7fab1dac .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 5 bytes JMP 000007ff7fab0ecc .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 5 bytes JMP 000007ff7fab1284 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 5 bytes JMP 000007ff7fab163c .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 5 bytes JMP 000007ff7fab19f4 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 5 bytes JMP 000007ff7fab03a4 .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 5 bytes JMP 000007ff7fab075c .text C:\Windows\system32\Dwm.exe[3716] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 5 bytes JMP 000007ff7fab0b14 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a53ae0 5 bytes JMP 000000010012075c .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a57a90 5 bytes JMP 00000001001203a4 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a81490 5 bytes JMP 0000000100120b14 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a814f0 5 bytes JMP 0000000100120ecc .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 000000010012163c .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a81810 5 bytes JMP 0000000100121284 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 00000001001219f4 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\Explorer.EXE[3748] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 5 bytes JMP 000007ff7fab1dac .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 5 bytes JMP 000007ff7fab0ecc .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 5 bytes JMP 000007ff7fab1284 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 5 bytes JMP 000007ff7fab163c .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 5 bytes JMP 000007ff7fab19f4 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 5 bytes JMP 000007ff7fab03a4 .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 5 bytes JMP 000007ff7fab075c .text C:\Windows\Explorer.EXE[3748] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 5 bytes JMP 000007ff7fab0b14 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3792] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3792] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3792] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3792] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3792] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3792] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3792] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3792] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 00000001001f1014 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 00000001001f0804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 00000001001f0a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 00000001001f0c0c .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 00000001001f0e10 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001001f01f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001001f03fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[4060] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 00000001001f0600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 0000000100271014 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 0000000100270804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 0000000100270a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 0000000100270c0c .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 0000000100270e10 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001002701f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001002703fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[4092] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 0000000100270600 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a53ae0 5 bytes JMP 000000010022075c .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a57a90 5 bytes JMP 00000001002203a4 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a81490 5 bytes JMP 0000000100220b14 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a814f0 5 bytes JMP 0000000100220ecc .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 000000010022163c .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a81810 5 bytes JMP 0000000100221284 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 00000001002219f4 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 5 bytes JMP 000007ff7fab1dac .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 5 bytes JMP 000007ff7fab0ecc .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 5 bytes JMP 000007ff7fab1284 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 5 bytes JMP 000007ff7fab163c .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 5 bytes JMP 000007ff7fab19f4 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 5 bytes JMP 000007ff7fab03a4 .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 5 bytes JMP 000007ff7fab075c .text C:\Windows\SysWOW64\ACEngSvr.exe[3168] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 5 bytes JMP 000007ff7fab0b14 .text C:\Windows\system32\wbem\wmiprvse.exe[2868] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 5 bytes JMP 000007ff7fab1dac .text C:\Windows\system32\wbem\wmiprvse.exe[2868] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 5 bytes JMP 000007ff7fab0ecc .text C:\Windows\system32\wbem\wmiprvse.exe[2868] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 5 bytes JMP 000007ff7fab1284 .text C:\Windows\system32\wbem\wmiprvse.exe[2868] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 5 bytes JMP 000007ff7fab163c .text C:\Windows\system32\wbem\wmiprvse.exe[2868] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 5 bytes JMP 000007ff7fab19f4 .text C:\Windows\system32\wbem\wmiprvse.exe[2868] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 5 bytes JMP 000007ff7fab03a4 .text C:\Windows\system32\wbem\wmiprvse.exe[2868] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 5 bytes JMP 000007ff7fab075c .text C:\Windows\system32\wbem\wmiprvse.exe[2868] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 5 bytes JMP 000007ff7fab0b14 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a53ae0 5 bytes JMP 000000010033075c .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a57a90 5 bytes JMP 00000001003303a4 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a81490 5 bytes JMP 0000000100330b14 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a814f0 5 bytes JMP 0000000100330ecc .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 000000010033163c .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a81810 5 bytes JMP 0000000100331284 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 00000001003319f4 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 5 bytes JMP 000007ff7fab1dac .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 5 bytes JMP 000007ff7fab0ecc .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 5 bytes JMP 000007ff7fab1284 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 5 bytes JMP 000007ff7fab163c .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 5 bytes JMP 000007ff7fab19f4 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 5 bytes JMP 000007ff7fab03a4 .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 5 bytes JMP 000007ff7fab075c .text C:\Program Files\Elantech\ETDCtrl.exe[448] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 5 bytes JMP 000007ff7fab0b14 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3420] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[1216] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 0000000100260600 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a53ae0 5 bytes JMP 00000001001d075c .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a57a90 5 bytes JMP 00000001001d03a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a81490 5 bytes JMP 00000001001d0b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a814f0 5 bytes JMP 00000001001d0ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 00000001001d163c .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a81810 5 bytes JMP 00000001001d1284 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 00000001001d19f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 5 bytes JMP 000007ff7fab1dac .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 5 bytes JMP 000007ff7fab0ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 5 bytes JMP 000007ff7fab1284 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 5 bytes JMP 000007ff7fab163c .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 5 bytes JMP 000007ff7fab19f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 5 bytes JMP 000007ff7fab03a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 5 bytes JMP 000007ff7fab075c .text C:\Program Files\Windows Sidebar\sidebar.exe[1268] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 5 bytes JMP 000007ff7fab0b14 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 00000001003e1014 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 00000001003e0804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 00000001003e0a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 00000001003e0c0c .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 00000001003e0e10 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001003e01f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001003e03fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3384] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 00000001003e0600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 00000001003e1014 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 00000001003e0804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 00000001003e0a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 00000001003e0c0c .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 00000001003e0e10 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001003e01f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001003e03fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3096] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 00000001003e0600 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3172] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[1500] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 0000000100260600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3552] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a53ae0 5 bytes JMP 000000010046075c .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a57a90 5 bytes JMP 00000001004603a4 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a81490 5 bytes JMP 0000000100460b14 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a814f0 5 bytes JMP 0000000100460ecc .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 000000010046163c .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a81810 5 bytes JMP 0000000100461284 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 00000001004619f4 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 5 bytes JMP 000007ff7fab1dac .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 5 bytes JMP 000007ff7fab0ecc .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 5 bytes JMP 000007ff7fab1284 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 5 bytes JMP 000007ff7fab163c .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 5 bytes JMP 000007ff7fab19f4 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 5 bytes JMP 000007ff7fab03a4 .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 5 bytes JMP 000007ff7fab075c .text C:\Windows\system32\SearchIndexer.exe[2860] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 5 bytes JMP 000007ff7fab0b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a53ae0 5 bytes JMP 000000010042075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a57a90 5 bytes JMP 00000001004203a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a81490 5 bytes JMP 0000000100420b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a814f0 5 bytes JMP 0000000100420ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 000000010042163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a81810 5 bytes JMP 0000000100421284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 00000001004219f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 5 bytes JMP 000007ff7fab1dac .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 5 bytes JMP 000007ff7fab0ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 5 bytes JMP 000007ff7fab1284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 5 bytes JMP 000007ff7fab163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 5 bytes JMP 000007ff7fab19f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 5 bytes JMP 000007ff7fab03a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 5 bytes JMP 000007ff7fab075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2660] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 5 bytes JMP 000007ff7fab0b14 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ce1465 2 bytes [CE, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[3504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ce14bb 2 bytes [CE, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 0000000100271014 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 0000000100270804 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 0000000100270a08 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 0000000100270c0c .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 0000000100270e10 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001002701f8 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001002703fc .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2412] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 0000000100270600 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 00000001001d0c0c .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 00000001001d0e10 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001001e01f8 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001001e03fc .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 5 bytes JMP 00000001001e0804 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 5 bytes JMP 00000001001e0600 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 00000001001e0a08 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 0000000100201014 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 0000000100200804 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 0000000100200a08 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 0000000100200c0c .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 0000000100200e10 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001002001f8 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001002003fc .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[668] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 0000000100200600 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[3272] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[924] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 0000000100260600 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a53ae0 5 bytes JMP 000000010040075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a57a90 5 bytes JMP 00000001004003a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a81490 5 bytes JMP 0000000100400b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a814f0 5 bytes JMP 0000000100400ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 000000010040163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a81810 5 bytes JMP 0000000100401284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 00000001004019f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 5 bytes JMP 000007ff7fab1dac .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 5 bytes JMP 000007ff7fab0ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 5 bytes JMP 000007ff7fab1284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 5 bytes JMP 000007ff7fab163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 5 bytes JMP 000007ff7fab19f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 5 bytes JMP 000007ff7fab03a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 5 bytes JMP 000007ff7fab075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2832] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 5 bytes JMP 000007ff7fab0b14 .text C:\Windows\AsScrPro.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100030600 .text C:\Windows\AsScrPro.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100030804 .text C:\Windows\AsScrPro.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100030c0c .text C:\Windows\AsScrPro.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100030a08 .text C:\Windows\AsScrPro.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100030e10 .text C:\Windows\AsScrPro.exe[2664] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001000301f8 .text C:\Windows\AsScrPro.exe[2664] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001000303fc .text C:\Windows\AsScrPro.exe[2664] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Windows\AsScrPro.exe[2664] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 0000000100231014 .text C:\Windows\AsScrPro.exe[2664] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 0000000100230804 .text C:\Windows\AsScrPro.exe[2664] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 0000000100230a08 .text C:\Windows\AsScrPro.exe[2664] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 0000000100230c0c .text C:\Windows\AsScrPro.exe[2664] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 0000000100230e10 .text C:\Windows\AsScrPro.exe[2664] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001002301f8 .text C:\Windows\AsScrPro.exe[2664] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001002303fc .text C:\Windows\AsScrPro.exe[2664] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 0000000100230600 .text C:\Windows\AsScrPro.exe[2664] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001002401f8 .text C:\Windows\AsScrPro.exe[2664] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001002403fc .text C:\Windows\AsScrPro.exe[2664] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 5 bytes JMP 0000000100240804 .text C:\Windows\AsScrPro.exe[2664] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 5 bytes JMP 0000000100240600 .text C:\Windows\AsScrPro.exe[2664] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 0000000100240a08 .text C:\Windows\AsScrPro.exe[2664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ce1465 2 bytes [CE, 75] .text C:\Windows\AsScrPro.exe[2664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ce14bb 2 bytes [CE, 75] .text ... * 2 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4192] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 0000000100260600 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a53ae0 5 bytes JMP 00000001001d075c .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a57a90 5 bytes JMP 00000001001d03a4 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a81490 5 bytes JMP 00000001001d0b14 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a814f0 5 bytes JMP 00000001001d0ecc .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 5 bytes JMP 00000001001d163c .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a81810 5 bytes JMP 00000001001d1284 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 5 bytes JMP 00000001001d19f4 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 5 bytes JMP 000007ff7fab1dac .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 5 bytes JMP 000007ff7fab0ecc .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 5 bytes JMP 000007ff7fab1284 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 5 bytes JMP 000007ff7fab163c .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 5 bytes JMP 000007ff7fab19f4 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 5 bytes JMP 000007ff7fab03a4 .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 5 bytes JMP 000007ff7fab075c .text C:\Windows\system32\taskhost.exe[4752] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 5 bytes JMP 000007ff7fab0b14 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a53ae0 6 bytes {NOP ; JMP 0xffffffff8890cc7c} .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a57a90 6 bytes {NOP ; JMP 0xffffffff88908914} .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a81490 6 bytes {NOP ; JMP 0xffffffff888df684} .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a814f0 6 bytes {NOP ; JMP 0xffffffff888df9dc} .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 6 bytes {NOP ; JMP 0xffffffff888e006c} .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a81810 6 bytes {NOP ; JMP 0xffffffff888dfa74} .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 6 bytes {NOP ; JMP 0xffffffff888df1b4} .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 6 bytes {NOP ; JMP 0xffffffff8001afac} .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 6 bytes {NOP ; JMP 0xffffffff80019fa0} .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 6 bytes {NOP ; JMP 0xffffffff8001a064} .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 6 bytes {NOP ; JMP 0xffffffff8001a2a0} .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 6 bytes {NOP ; JMP 0xffffffff8001a4bc} .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 6 bytes {NOP ; JMP 0xffffffff80018dbc} .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 6 bytes {NOP ; JMP 0xffffffff80018e50} .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 6 bytes {NOP ; JMP 0xffffffff80019060} .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\system32\OLEAUT32.dll!OleCreatePropertyFrameIndirect 000007feffc54ed0 9 bytes [68, 78, 03, 0E, 03, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheetW 000007fefbc65c54 7 bytes [68, 08, 03, 0E, 03, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheet 000007fefbc65c64 9 bytes [68, 40, 03, 0E, 03, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[4972] C:\Windows\system32\comdlg32.dll!PageSetupDlgW 000007feff7b17a0 9 bytes [68, B0, 03, 0E, 03, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtdllDefWindowProc_A 0000000077a4f548 7 bytes JMP 00000001010a0570 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a53ae0 6 bytes {NOP ; JMP 0xffffffff88a3cc7c} .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a57a90 6 bytes {NOP ; JMP 0xffffffff88a38914} .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtdllDefWindowProc_W 0000000077a5b0ac 7 bytes JMP 00000001010a05a8 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a81490 6 bytes {NOP ; JMP 0xffffffff88a0f684} .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a814f0 6 bytes {NOP ; JMP 0xffffffff88a0f9dc} .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 6 bytes {NOP ; JMP 0xffffffff88a1006c} .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a81810 6 bytes {NOP ; JMP 0xffffffff88a0fa74} .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 6 bytes {NOP ; JMP 0xffffffff88a0f1b4} .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\system32\KERNEL32.dll!CreateThread 0000000077366580 9 bytes JMP 00000001010a04c8 .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 6 bytes {NOP ; JMP 0xffffffff8001afac} .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 6 bytes {NOP ; JMP 0xffffffff80019fa0} .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 6 bytes {NOP ; JMP 0xffffffff8001a064} .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 6 bytes {NOP ; JMP 0xffffffff8001a2a0} .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 6 bytes {NOP ; JMP 0xffffffff8001a4bc} .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 6 bytes {NOP ; JMP 0xffffffff80018dbc} .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 6 bytes {NOP ; JMP 0xffffffff80018e50} .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 6 bytes {NOP ; JMP 0xffffffff80019060} .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\system32\ole32.dll!OleLoadFromStream 000007feff2975f0 7 bytes [68, E0, 05, 0A, 01, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\system32\OLEAUT32.dll!VariantClear 000007feffbf1180 10 bytes [68, C0, 06, 0A, 01, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\system32\OLEAUT32.dll!SysFreeString 000007feffbf1320 7 bytes [68, 50, 06, 0A, 01, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\system32\OLEAUT32.dll!SysAllocStringByteLen 000007feffbf4450 6 bytes [68, 18, 06, 0A, 01, C3] .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\system32\OLEAUT32.dll!VariantChangeType 000007feffbf6720 10 bytes [68, 88, 06, 0A, 01, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\system32\OLEAUT32.dll!OleCreatePropertyFrameIndirect 000007feffc54ed0 9 bytes [68, 78, 03, 0A, 01, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheetW 000007fefbc65c54 7 bytes [68, 08, 03, 0A, 01, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheet 000007fefbc65c64 9 bytes [68, 40, 03, 0A, 01, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[1056] C:\Windows\system32\comdlg32.dll!PageSetupDlgW 000007feff7b17a0 9 bytes [68, B0, 03, 0A, 01, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtdllDefWindowProc_A 0000000077a4f548 7 bytes JMP 0000000102fe0570 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a53ae0 6 bytes {NOP ; JMP 0xffffffff887fcc7c} .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a57a90 6 bytes {NOP ; JMP 0xffffffff887f8914} .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtdllDefWindowProc_W 0000000077a5b0ac 7 bytes JMP 0000000102fe05a8 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a813c0 5 bytes JMP 0000000077be0470 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a81410 5 bytes JMP 0000000077be0460 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a81490 6 bytes {NOP ; JMP 0xffffffff887cf684} .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a814f0 6 bytes {NOP ; JMP 0xffffffff887cf9dc} .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a81570 5 bytes JMP 0000000077be0370 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a815c0 5 bytes JMP 0000000077be0480 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a815d0 6 bytes {NOP ; JMP 0xffffffff887d006c} .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a81680 5 bytes JMP 0000000077be0320 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a816b0 5 bytes JMP 0000000077be03b0 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a816d0 5 bytes JMP 0000000077be0390 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a81710 5 bytes JMP 0000000077be02e0 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a81760 5 bytes JMP 0000000077be0440 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a81790 5 bytes JMP 0000000077be02d0 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a817b0 5 bytes JMP 0000000077be0310 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a817f0 5 bytes JMP 0000000077be03c0 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a81810 6 bytes {NOP ; JMP 0xffffffff887cfa74} .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a81840 5 bytes JMP 0000000077be03f0 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a819a0 1 byte JMP 0000000077be0230 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a819a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a81b60 5 bytes JMP 0000000077be0490 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a81b90 5 bytes JMP 0000000077be03a0 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a81c70 5 bytes JMP 0000000077be02f0 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a81c80 5 bytes JMP 0000000077be0350 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a81ce0 5 bytes JMP 0000000077be0290 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a81d70 5 bytes JMP 0000000077be02b0 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a81d90 5 bytes JMP 0000000077be03d0 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a81da0 1 byte JMP 0000000077be0330 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a81da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a81e10 5 bytes JMP 0000000077be0410 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a81e40 5 bytes JMP 0000000077be0240 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a82100 5 bytes JMP 0000000077be01e0 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a821c0 1 byte JMP 0000000077be0250 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a821c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a821f0 5 bytes JMP 0000000077be04a0 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a82200 5 bytes JMP 0000000077be04b0 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a82230 5 bytes JMP 0000000077be0300 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a82240 5 bytes JMP 0000000077be0360 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a822a0 5 bytes JMP 0000000077be02a0 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a822f0 5 bytes JMP 0000000077be02c0 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a82320 5 bytes JMP 0000000077be0380 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a82330 5 bytes JMP 0000000077be0340 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a82620 5 bytes JMP 0000000077be0450 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a82820 5 bytes JMP 0000000077be0260 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a82830 5 bytes JMP 0000000077be0270 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a82840 6 bytes {NOP ; JMP 0xffffffff887cf1b4} .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a82a00 5 bytes JMP 0000000077be01f0 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a82a10 5 bytes JMP 0000000077be0210 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a82a80 5 bytes JMP 0000000077be0200 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a82ae0 5 bytes JMP 0000000077be0420 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a82af0 5 bytes JMP 0000000077be0430 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a82b00 5 bytes JMP 0000000077be0220 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a82be0 5 bytes JMP 0000000077be0280 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\system32\KERNEL32.dll!CreateThread 0000000077366580 9 bytes JMP 0000000102fe04c8 .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000773aeecd 1 byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffa96e00 6 bytes {NOP ; JMP 0xffffffff8001afac} .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffa96f2c 6 bytes {NOP ; JMP 0xffffffff80019fa0} .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffa97220 6 bytes {NOP ; JMP 0xffffffff8001a064} .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffa9739c 6 bytes {NOP ; JMP 0xffffffff8001a2a0} .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffa97538 6 bytes {NOP ; JMP 0xffffffff8001a4bc} .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffa975e8 6 bytes {NOP ; JMP 0xffffffff80018dbc} .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffa9790c 6 bytes {NOP ; JMP 0xffffffff80018e50} .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffa97ab4 6 bytes {NOP ; JMP 0xffffffff80019060} .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\system32\ole32.dll!OleLoadFromStream 000007feff2975f0 7 bytes [68, E0, 05, FE, 02, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\system32\OLEAUT32.dll!VariantClear 000007feffbf1180 10 bytes [68, C0, 06, FE, 02, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\system32\OLEAUT32.dll!SysFreeString 000007feffbf1320 7 bytes [68, 50, 06, FE, 02, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\system32\OLEAUT32.dll!SysAllocStringByteLen 000007feffbf4450 6 bytes [68, 18, 06, FE, 02, C3] .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\system32\OLEAUT32.dll!VariantChangeType 000007feffbf6720 10 bytes [68, 88, 06, FE, 02, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\system32\OLEAUT32.dll!OleCreatePropertyFrameIndirect 000007feffc54ed0 9 bytes [68, 78, 03, FE, 02, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheetW 000007fefbc65c54 7 bytes [68, 08, 03, FE, 02, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheet 000007fefbc65c64 9 bytes [68, 40, 03, FE, 02, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[2744] C:\Windows\system32\comdlg32.dll!PageSetupDlgW 000007feff7b17a0 9 bytes [68, B0, 03, FE, 02, C3, CC, ...] .text D:\Downloads\3c791m00.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c2faa0 5 bytes JMP 0000000100030600 .text D:\Downloads\3c791m00.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c2fb38 5 bytes JMP 0000000100030804 .text D:\Downloads\3c791m00.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c2fc90 5 bytes JMP 0000000100030c0c .text D:\Downloads\3c791m00.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c30018 5 bytes JMP 0000000100030a08 .text D:\Downloads\3c791m00.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c31900 5 bytes JMP 0000000100030e10 .text D:\Downloads\3c791m00.exe[3520] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c4c45a 5 bytes JMP 00000001000301f8 .text D:\Downloads\3c791m00.exe[3520] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c51217 5 bytes JMP 00000001000303fc .text D:\Downloads\3c791m00.exe[3520] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d2a30a 1 byte [62] .text D:\Downloads\3c791m00.exe[3520] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075695181 5 bytes JMP 00000001001d1014 .text D:\Downloads\3c791m00.exe[3520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075695254 5 bytes JMP 00000001001d0804 .text D:\Downloads\3c791m00.exe[3520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756953d5 5 bytes JMP 00000001001d0a08 .text D:\Downloads\3c791m00.exe[3520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756954c2 5 bytes JMP 00000001001d0c0c .text D:\Downloads\3c791m00.exe[3520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756955e2 5 bytes JMP 00000001001d0e10 .text D:\Downloads\3c791m00.exe[3520] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007569567c 5 bytes JMP 00000001001d01f8 .text D:\Downloads\3c791m00.exe[3520] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007569589f 5 bytes JMP 00000001001d03fc .text D:\Downloads\3c791m00.exe[3520] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075695a22 5 bytes JMP 00000001001d0600 .text D:\Downloads\3c791m00.exe[3520] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757eee09 5 bytes JMP 00000001002601f8 .text D:\Downloads\3c791m00.exe[3520] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000757f3982 5 bytes JMP 00000001002603fc .text D:\Downloads\3c791m00.exe[3520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757f7603 5 bytes JMP 0000000100260804 .text D:\Downloads\3c791m00.exe[3520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757f835c 5 bytes JMP 0000000100260600 .text D:\Downloads\3c791m00.exe[3520] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007580f52b 5 bytes JMP 0000000100260a08 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4280:4336] 000007feff150168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4280:4356] 000007fefb9c2a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4280:4364] 000007feefb1d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4280:4540] 000007fef9f85124 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 3 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 6 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 50519 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Tag 3 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet003\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet003\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters@BootCounter 6 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters@TickCounter 50519 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet003\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. ---- EOF - GMER 2.1 ----