GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-15 11:03:01 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.0011LVM1 465,76GB Running: 0jxgrf2k.exe; Driver: C:\Users\Dominika\AppData\Local\Temp\pgddqpoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 706 fffff80002fc0092 6 bytes [00, 00, 41, B9, 40, 40] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 713 fffff80002fc0099 59 bytes [00, 41, B8, 10, 30, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 000000014a3d0440 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 000000014a3d0430 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 000000014a3d0450 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0xffffffffd316ee90} .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 000000014a3d03b0 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 000000014a3d0320 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 000000014a3d0380 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 000000014a3d02e0 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 000000014a3d0410 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 000000014a3d02d0 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 000000014a3d0310 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 000000014a3d0390 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 000000014a3d03c0 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 000000014a3d0230 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0xffffffffd316e890} .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 000000014a3d0460 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 000000014a3d0370 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 000000014a3d02f0 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 000000014a3d0350 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 000000014a3d0290 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 000000014a3d02b0 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 000000014a3d03a0 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 000000014a3d0330 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0xffffffffd316e590} .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 000000014a3d03e0 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 000000014a3d0240 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 000000014a3d01e0 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 000000014a3d0250 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0xffffffffd316e090} .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 000000014a3d0470 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 000000014a3d0480 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 000000014a3d0300 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 000000014a3d0360 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 000000014a3d02a0 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 000000014a3d02c0 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 000000014a3d0340 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 000000014a3d0420 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 000000014a3d0260 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 000000014a3d0270 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 000000014a3d03d0 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0xffffffffd316db90} .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 000000014a3d01f0 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 000000014a3d0210 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 000000014a3d0200 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 000000014a3d03f0 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 000000014a3d0400 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 000000014a3d0220 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 000000014a3d0280 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000000773c03b0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\system32\wininit.exe[532] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 000000014a3d0440 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 000000014a3d0430 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 000000014a3d0450 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0xffffffffd316ee90} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 000000014a3d03b0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 000000014a3d0320 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 000000014a3d0380 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 000000014a3d02e0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 000000014a3d0410 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 000000014a3d02d0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 000000014a3d0310 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 000000014a3d0390 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 000000014a3d03c0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 000000014a3d0230 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0xffffffffd316e890} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 000000014a3d0460 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 000000014a3d0370 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 000000014a3d02f0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 000000014a3d0350 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 000000014a3d0290 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 000000014a3d02b0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 000000014a3d03a0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 000000014a3d0330 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0xffffffffd316e590} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 000000014a3d03e0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 000000014a3d0240 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 000000014a3d01e0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 000000014a3d0250 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0xffffffffd316e090} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 000000014a3d0470 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 000000014a3d0480 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 000000014a3d0300 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 000000014a3d0360 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 000000014a3d02a0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 000000014a3d02c0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 000000014a3d0340 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 000000014a3d0420 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 000000014a3d0260 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 000000014a3d0270 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 000000014a3d03d0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0xffffffffd316db90} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 000000014a3d01f0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 000000014a3d0210 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 000000014a3d0200 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 000000014a3d03f0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 000000014a3d0400 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 000000014a3d0220 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 000000014a3d0280 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000000773c03b0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\system32\services.exe[588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000000773c03b0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000000773c03b0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000000773c03b0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000000773c03b0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000000773c03b0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\system32\atiesrxx.exe[900] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000000773c03b0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\System32\svchost.exe[976] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000000773c03b0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0xffffffff88e0ee90} .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0xffffffff88e0e890} .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0xffffffff88e0e590} .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0xffffffff88e0e090} .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0xffffffff88e0db90} .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[332] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[332] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000000773c03b0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\system32\svchost.exe[464] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000000773c03b0 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\system32\atieclxx.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0xffffffff88e0ee90} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0xffffffff88e0e890} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0xffffffff88e0e590} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0xffffffff88e0e090} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0xffffffff88e0db90} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000000773c03b0 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000000773c03b0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000000773c03b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1692] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077233ae0 5 bytes JMP 000000010036075c .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077237a90 5 bytes JMP 00000001003603a4 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077261490 5 bytes JMP 0000000100360b14 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772614f0 5 bytes JMP 0000000100360ecc .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 000000010036163c .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077261810 5 bytes JMP 0000000100361284 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec56e00 5 bytes JMP 000007ff7ec71dac .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec56f2c 5 bytes JMP 000007ff7ec70ecc .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec57220 5 bytes JMP 000007ff7ec71284 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec5739c 5 bytes JMP 000007ff7ec7163c .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec57538 5 bytes JMP 000007ff7ec719f4 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec575e8 5 bytes JMP 000007ff7ec703a4 .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec5790c 5 bytes JMP 000007ff7ec7075c .text C:\Program Files\Bonjour\mDNSResponder.exe[2000] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec57ab4 5 bytes JMP 000007ff7ec70b14 .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[2020] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 0000000070d911a8 2 bytes [D9, 70] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[2020] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 0000000070d913a8 2 bytes [D9, 70] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[2020] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000070d91422 2 bytes [D9, 70] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[2020] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000070d91498 2 bytes [D9, 70] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[2020] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 195 0000000070bb1b41 2 bytes [BB, 70] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[2020] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 362 0000000070bb1be8 2 bytes [BB, 70] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[2020] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 418 0000000070bb1c20 2 bytes [BB, 70] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[2020] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 596 0000000070bb1cd2 2 bytes [BB, 70] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[2020] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 628 0000000070bb1cf2 2 bytes [BB, 70] .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[1612] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001001101f8 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[1612] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 00000001001103fc .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[1612] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 0000000100110804 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[1612] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 0000000100110600 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[1612] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 0000000100110a08 .text C:\Windows\system32\svchost.exe[2304] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2304] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec56e00 5 bytes JMP 000007ff7ec71dac .text C:\Windows\system32\svchost.exe[2304] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec56f2c 5 bytes JMP 000007ff7ec70ecc .text C:\Windows\system32\svchost.exe[2304] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec57220 5 bytes JMP 000007ff7ec71284 .text C:\Windows\system32\svchost.exe[2304] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec5739c 5 bytes JMP 000007ff7ec7163c .text C:\Windows\system32\svchost.exe[2304] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec57538 5 bytes JMP 000007ff7ec719f4 .text C:\Windows\system32\svchost.exe[2304] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec575e8 5 bytes JMP 000007ff7ec703a4 .text C:\Windows\system32\svchost.exe[2304] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec5790c 5 bytes JMP 000007ff7ec7075c .text C:\Windows\system32\svchost.exe[2304] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec57ab4 5 bytes JMP 000007ff7ec70b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077233ae0 5 bytes JMP 000000010011075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077237a90 5 bytes JMP 00000001001103a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077261490 5 bytes JMP 0000000100110b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772614f0 5 bytes JMP 0000000100110ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 000000010011163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077261810 5 bytes JMP 0000000100111284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec56e00 5 bytes JMP 000007ff7ec71dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec56f2c 5 bytes JMP 000007ff7ec70ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec57220 5 bytes JMP 000007ff7ec71284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec5739c 5 bytes JMP 000007ff7ec7163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec57538 5 bytes JMP 000007ff7ec719f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec575e8 5 bytes JMP 000007ff7ec703a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec5790c 5 bytes JMP 000007ff7ec7075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec57ab4 5 bytes JMP 000007ff7ec70b14 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077233ae0 5 bytes JMP 00000001003f075c .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077237a90 5 bytes JMP 00000001003f03a4 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077261490 5 bytes JMP 00000001003f0b14 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772614f0 5 bytes JMP 00000001003f0ecc .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000001003f163c .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077261810 5 bytes JMP 00000001003f1284 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec56e00 5 bytes JMP 000007ff7ec71dac .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec56f2c 5 bytes JMP 000007ff7ec70ecc .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec57220 5 bytes JMP 000007ff7ec71284 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec5739c 5 bytes JMP 000007ff7ec7163c .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec57538 5 bytes JMP 000007ff7ec719f4 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec575e8 5 bytes JMP 000007ff7ec703a4 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec5790c 5 bytes JMP 000007ff7ec7075c .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec57ab4 5 bytes JMP 000007ff7ec70b14 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077233ae0 5 bytes JMP 000000010027075c .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077237a90 5 bytes JMP 00000001002703a4 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077261490 5 bytes JMP 0000000100270b14 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772614f0 5 bytes JMP 0000000100270ecc .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 000000010027163c .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077261810 5 bytes JMP 0000000100271284 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec56e00 5 bytes JMP 000007ff7ec71dac .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec56f2c 5 bytes JMP 000007ff7ec70ecc .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec57220 5 bytes JMP 000007ff7ec71284 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec5739c 5 bytes JMP 000007ff7ec7163c .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec57538 5 bytes JMP 000007ff7ec719f4 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec575e8 5 bytes JMP 000007ff7ec703a4 .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec5790c 5 bytes JMP 000007ff7ec7075c .text C:\Windows\system32\wbem\wmiprvse.exe[2748] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec57ab4 5 bytes JMP 000007ff7ec70b14 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077233ae0 5 bytes JMP 00000001003b075c .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077237a90 5 bytes JMP 00000001003b03a4 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077261490 5 bytes JMP 00000001003b0b14 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772614f0 5 bytes JMP 00000001003b0ecc .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000001003b163c .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077261810 5 bytes JMP 00000001003b1284 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec56e00 5 bytes JMP 000007ff7ec71dac .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec56f2c 5 bytes JMP 000007ff7ec70ecc .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec57220 5 bytes JMP 000007ff7ec71284 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec5739c 5 bytes JMP 000007ff7ec7163c .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec57538 5 bytes JMP 000007ff7ec719f4 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec575e8 5 bytes JMP 000007ff7ec703a4 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec5790c 5 bytes JMP 000007ff7ec7075c .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec57ab4 5 bytes JMP 000007ff7ec70b14 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077233ae0 5 bytes JMP 00000001001e075c .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077237a90 5 bytes JMP 00000001001e03a4 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077261490 5 bytes JMP 00000001001e0b14 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772614f0 5 bytes JMP 00000001001e0ecc .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000001001e163c .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077261810 5 bytes JMP 00000001001e1284 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec56e00 5 bytes JMP 000007ff7ec71dac .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec56f2c 5 bytes JMP 000007ff7ec70ecc .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec57220 5 bytes JMP 000007ff7ec71284 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec5739c 5 bytes JMP 000007ff7ec7163c .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec57538 5 bytes JMP 000007ff7ec719f4 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec575e8 5 bytes JMP 000007ff7ec703a4 .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec5790c 5 bytes JMP 000007ff7ec7075c .text C:\Windows\system32\Dwm.exe[724] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec57ab4 5 bytes JMP 000007ff7ec70b14 .text C:\Windows\Explorer.EXE[2096] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077233ae0 5 bytes JMP 000000010016075c .text C:\Windows\Explorer.EXE[2096] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077237a90 5 bytes JMP 00000001001603a4 .text C:\Windows\Explorer.EXE[2096] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077261490 5 bytes JMP 0000000100160b14 .text C:\Windows\Explorer.EXE[2096] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772614f0 5 bytes JMP 0000000100160ecc .text C:\Windows\Explorer.EXE[2096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 000000010016163c .text C:\Windows\Explorer.EXE[2096] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077261810 5 bytes JMP 0000000100161284 .text C:\Windows\Explorer.EXE[2096] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Windows\Explorer.EXE[2096] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec56e00 5 bytes JMP 000007ff7ec71dac .text C:\Windows\Explorer.EXE[2096] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec56f2c 5 bytes JMP 000007ff7ec70ecc .text C:\Windows\Explorer.EXE[2096] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec57220 5 bytes JMP 000007ff7ec71284 .text C:\Windows\Explorer.EXE[2096] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec5739c 5 bytes JMP 000007ff7ec7163c .text C:\Windows\Explorer.EXE[2096] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec57538 5 bytes JMP 000007ff7ec719f4 .text C:\Windows\Explorer.EXE[2096] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec575e8 5 bytes JMP 000007ff7ec703a4 .text C:\Windows\Explorer.EXE[2096] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec5790c 5 bytes JMP 000007ff7ec7075c .text C:\Windows\Explorer.EXE[2096] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec57ab4 5 bytes JMP 000007ff7ec70b14 .text C:\Program Files\Elantech\ETDCtrl.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077233ae0 5 bytes JMP 00000001001f075c .text C:\Program Files\Elantech\ETDCtrl.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077237a90 5 bytes JMP 00000001001f03a4 .text C:\Program Files\Elantech\ETDCtrl.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077261490 5 bytes JMP 00000001001f0b14 .text C:\Program Files\Elantech\ETDCtrl.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772614f0 5 bytes JMP 00000001001f0ecc .text C:\Program Files\Elantech\ETDCtrl.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000001001f163c .text C:\Program Files\Elantech\ETDCtrl.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077261810 5 bytes JMP 00000001001f1284 .text C:\Program Files\Elantech\ETDCtrl.exe[2800] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Program Files\Elantech\ETDCtrl.exe[2800] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec56e00 5 bytes JMP 000007ff7ec71dac .text C:\Program Files\Elantech\ETDCtrl.exe[2800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec56f2c 5 bytes JMP 000007ff7ec70ecc .text C:\Program Files\Elantech\ETDCtrl.exe[2800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec57220 5 bytes JMP 000007ff7ec71284 .text C:\Program Files\Elantech\ETDCtrl.exe[2800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec5739c 5 bytes JMP 000007ff7ec7163c .text C:\Program Files\Elantech\ETDCtrl.exe[2800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec57538 5 bytes JMP 000007ff7ec719f4 .text C:\Program Files\Elantech\ETDCtrl.exe[2800] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec575e8 5 bytes JMP 000007ff7ec703a4 .text C:\Program Files\Elantech\ETDCtrl.exe[2800] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec5790c 5 bytes JMP 000007ff7ec7075c .text C:\Program Files\Elantech\ETDCtrl.exe[2800] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec57ab4 5 bytes JMP 000007ff7ec70b14 .text C:\Windows\System32\mobsync.exe[952] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077233ae0 5 bytes JMP 00000001001d075c .text C:\Windows\System32\mobsync.exe[952] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077237a90 5 bytes JMP 00000001001d03a4 .text C:\Windows\System32\mobsync.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077261490 5 bytes JMP 00000001001d0b14 .text C:\Windows\System32\mobsync.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772614f0 5 bytes JMP 00000001001d0ecc .text C:\Windows\System32\mobsync.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000001001d163c .text C:\Windows\System32\mobsync.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077261810 5 bytes JMP 00000001001d1284 .text C:\Windows\System32\mobsync.exe[952] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec56e00 5 bytes JMP 000007ff7ec71dac .text C:\Windows\System32\mobsync.exe[952] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec56f2c 5 bytes JMP 000007ff7ec70ecc .text C:\Windows\System32\mobsync.exe[952] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec57220 5 bytes JMP 000007ff7ec71284 .text C:\Windows\System32\mobsync.exe[952] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec5739c 5 bytes JMP 000007ff7ec7163c .text C:\Windows\System32\mobsync.exe[952] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec57538 5 bytes JMP 000007ff7ec719f4 .text C:\Windows\System32\mobsync.exe[952] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec575e8 5 bytes JMP 000007ff7ec703a4 .text C:\Windows\System32\mobsync.exe[952] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec5790c 5 bytes JMP 000007ff7ec7075c .text C:\Windows\System32\mobsync.exe[952] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec57ab4 5 bytes JMP 000007ff7ec70b14 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077233ae0 5 bytes JMP 00000001001a075c .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077237a90 5 bytes JMP 00000001001a03a4 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077261490 5 bytes JMP 00000001001a0b14 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772614f0 5 bytes JMP 00000001001a0ecc .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 00000001001a163c .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077261810 5 bytes JMP 00000001001a1284 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec56e00 5 bytes JMP 000007ff7ec71dac .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec56f2c 5 bytes JMP 000007ff7ec70ecc .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec57220 5 bytes JMP 000007ff7ec71284 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec5739c 5 bytes JMP 000007ff7ec7163c .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec57538 5 bytes JMP 000007ff7ec719f4 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec575e8 5 bytes JMP 000007ff7ec703a4 .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec5790c 5 bytes JMP 000007ff7ec7075c .text C:\Windows\system32\svchost.exe[3116] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec57ab4 5 bytes JMP 000007ff7ec70b14 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077233ae0 5 bytes JMP 000000010022075c .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077237a90 5 bytes JMP 00000001002203a4 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077261490 5 bytes JMP 0000000100220b14 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772614f0 5 bytes JMP 0000000100220ecc .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 000000010022163c .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077261810 5 bytes JMP 0000000100221284 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec56e00 5 bytes JMP 000007ff7ec71dac .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec56f2c 5 bytes JMP 000007ff7ec70ecc .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec57220 5 bytes JMP 000007ff7ec71284 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec5739c 5 bytes JMP 000007ff7ec7163c .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec57538 5 bytes JMP 000007ff7ec719f4 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec575e8 5 bytes JMP 000007ff7ec703a4 .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec5790c 5 bytes JMP 000007ff7ec7075c .text C:\Windows\System32\svchost.exe[3368] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec57ab4 5 bytes JMP 000007ff7ec70b14 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077233ae0 5 bytes JMP 000000010013075c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077237a90 5 bytes JMP 00000001001303a4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077261490 5 bytes JMP 0000000100130b14 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772614f0 5 bytes JMP 0000000100130ecc .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 000000010013163c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077261810 5 bytes JMP 0000000100131284 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec56e00 5 bytes JMP 000007ff7ec71dac .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec56f2c 5 bytes JMP 000007ff7ec70ecc .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec57220 5 bytes JMP 000007ff7ec71284 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec5739c 5 bytes JMP 000007ff7ec7163c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec57538 5 bytes JMP 000007ff7ec719f4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec575e8 5 bytes JMP 000007ff7ec703a4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec5790c 5 bytes JMP 000007ff7ec7075c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3560] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec57ab4 5 bytes JMP 000007ff7ec70b14 .text C:\Users\Dominika\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3592] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001002401f8 .text C:\Users\Dominika\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3592] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 00000001002403fc .text C:\Users\Dominika\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3592] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 0000000100240804 .text C:\Users\Dominika\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3592] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 0000000100240600 .text C:\Users\Dominika\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3592] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 0000000100240a08 .text C:\Users\Dominika\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3592] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 0000000100251014 .text C:\Users\Dominika\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3592] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 0000000100250804 .text C:\Users\Dominika\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3592] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 0000000100250a08 .text C:\Users\Dominika\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3592] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 0000000100250c0c .text C:\Users\Dominika\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3592] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 0000000100250e10 .text C:\Users\Dominika\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3592] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 00000001002501f8 .text C:\Users\Dominika\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3592] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 00000001002503fc .text C:\Users\Dominika\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3592] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 0000000100250600 .text C:\Users\Dominika\AppData\Roaming\Spotify\spotify.exe[3668] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001002401f8 .text C:\Users\Dominika\AppData\Roaming\Spotify\spotify.exe[3668] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 00000001002403fc .text C:\Users\Dominika\AppData\Roaming\Spotify\spotify.exe[3668] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 0000000100240804 .text C:\Users\Dominika\AppData\Roaming\Spotify\spotify.exe[3668] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 0000000100240600 .text C:\Users\Dominika\AppData\Roaming\Spotify\spotify.exe[3668] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 0000000100240a08 .text C:\Users\Dominika\AppData\Roaming\Spotify\spotify.exe[3668] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 0000000100251014 .text C:\Users\Dominika\AppData\Roaming\Spotify\spotify.exe[3668] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 0000000100250804 .text C:\Users\Dominika\AppData\Roaming\Spotify\spotify.exe[3668] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 0000000100250a08 .text C:\Users\Dominika\AppData\Roaming\Spotify\spotify.exe[3668] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 0000000100250c0c .text C:\Users\Dominika\AppData\Roaming\Spotify\spotify.exe[3668] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 0000000100250e10 .text C:\Users\Dominika\AppData\Roaming\Spotify\spotify.exe[3668] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 00000001002501f8 .text C:\Users\Dominika\AppData\Roaming\Spotify\spotify.exe[3668] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 00000001002503fc .text C:\Users\Dominika\AppData\Roaming\Spotify\spotify.exe[3668] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 0000000100250600 .text C:\Users\Dominika\AppData\Roaming\Spotify\spotify.exe[3668] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075201465 2 bytes [20, 75] .text C:\Users\Dominika\AppData\Roaming\Spotify\spotify.exe[3668] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752014bb 2 bytes [20, 75] .text ... * 2 .text C:\Users\Dominika\AppData\Roaming\Dropbox\bin\Dropbox.exe[3868] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001002401f8 .text C:\Users\Dominika\AppData\Roaming\Dropbox\bin\Dropbox.exe[3868] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 00000001002403fc .text C:\Users\Dominika\AppData\Roaming\Dropbox\bin\Dropbox.exe[3868] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 0000000100240804 .text C:\Users\Dominika\AppData\Roaming\Dropbox\bin\Dropbox.exe[3868] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 0000000100240600 .text C:\Users\Dominika\AppData\Roaming\Dropbox\bin\Dropbox.exe[3868] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 0000000100240a08 .text C:\Users\Dominika\AppData\Roaming\Dropbox\bin\Dropbox.exe[3868] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 0000000100251014 .text C:\Users\Dominika\AppData\Roaming\Dropbox\bin\Dropbox.exe[3868] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 0000000100250804 .text C:\Users\Dominika\AppData\Roaming\Dropbox\bin\Dropbox.exe[3868] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 0000000100250a08 .text C:\Users\Dominika\AppData\Roaming\Dropbox\bin\Dropbox.exe[3868] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 0000000100250c0c .text C:\Users\Dominika\AppData\Roaming\Dropbox\bin\Dropbox.exe[3868] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 0000000100250e10 .text C:\Users\Dominika\AppData\Roaming\Dropbox\bin\Dropbox.exe[3868] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 00000001002501f8 .text C:\Users\Dominika\AppData\Roaming\Dropbox\bin\Dropbox.exe[3868] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 00000001002503fc .text C:\Users\Dominika\AppData\Roaming\Dropbox\bin\Dropbox.exe[3868] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 0000000100250600 .text C:\Users\Dominika\AppData\Roaming\Dropbox\bin\Dropbox.exe[3868] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000075201465 2 bytes [20, 75] .text C:\Users\Dominika\AppData\Roaming\Dropbox\bin\Dropbox.exe[3868] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 00000000752014bb 2 bytes [20, 75] .text ... * 2 .text G:\Program Files\AVAST Software\Avast\AvastUI.exe[3912] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075201465 2 bytes [20, 75] .text G:\Program Files\AVAST Software\Avast\AvastUI.exe[3912] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752014bb 2 bytes [20, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3928] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3928] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3928] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3928] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3928] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3928] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3928] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3928] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3928] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 0000000100260a08 .text G:\Program Files\iTunes\iTunesHelper.exe[4004] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 00000001000e1014 .text G:\Program Files\iTunes\iTunesHelper.exe[4004] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 00000001000e0804 .text G:\Program Files\iTunes\iTunesHelper.exe[4004] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 00000001000e0a08 .text G:\Program Files\iTunes\iTunesHelper.exe[4004] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 00000001000e0c0c .text G:\Program Files\iTunes\iTunesHelper.exe[4004] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 00000001000e0e10 .text G:\Program Files\iTunes\iTunesHelper.exe[4004] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 00000001000e01f8 .text G:\Program Files\iTunes\iTunesHelper.exe[4004] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 00000001000e03fc .text G:\Program Files\iTunes\iTunesHelper.exe[4004] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 00000001000e0600 .text G:\Program Files\iTunes\iTunesHelper.exe[4004] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001000f01f8 .text G:\Program Files\iTunes\iTunesHelper.exe[4004] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 00000001000f03fc .text G:\Program Files\iTunes\iTunesHelper.exe[4004] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 00000001000f0804 .text G:\Program Files\iTunes\iTunesHelper.exe[4004] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 00000001000f0600 .text G:\Program Files\iTunes\iTunesHelper.exe[4004] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 00000001000f0a08 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077233ae0 5 bytes JMP 000000010039075c .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077237a90 5 bytes JMP 00000001003903a4 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077261490 5 bytes JMP 0000000100390b14 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772614f0 5 bytes JMP 0000000100390ecc .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 000000010039163c .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077261810 5 bytes JMP 0000000100391284 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec56e00 5 bytes JMP 000007ff7ec71dac .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec56f2c 5 bytes JMP 000007ff7ec70ecc .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec57220 5 bytes JMP 000007ff7ec71284 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec5739c 5 bytes JMP 000007ff7ec7163c .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec57538 5 bytes JMP 000007ff7ec719f4 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec575e8 5 bytes JMP 000007ff7ec703a4 .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec5790c 5 bytes JMP 000007ff7ec7075c .text C:\Program Files\iPod\bin\iPodService.exe[3612] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec57ab4 5 bytes JMP 000007ff7ec70b14 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077233ae0 5 bytes JMP 000000010011075c .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077237a90 5 bytes JMP 00000001001103a4 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077261490 5 bytes JMP 0000000100110b14 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772614f0 5 bytes JMP 0000000100110ecc .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 000000010011163c .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077261810 5 bytes JMP 0000000100111284 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec56e00 5 bytes JMP 000007ff7ec71dac .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec56f2c 5 bytes JMP 000007ff7ec70ecc .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec57220 5 bytes JMP 000007ff7ec71284 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec5739c 5 bytes JMP 000007ff7ec7163c .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec57538 5 bytes JMP 000007ff7ec719f4 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec575e8 5 bytes JMP 000007ff7ec703a4 .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec5790c 5 bytes JMP 000007ff7ec7075c .text C:\Windows\System32\svchost.exe[4876] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec57ab4 5 bytes JMP 000007ff7ec70b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077233ae0 5 bytes JMP 000000010012075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077237a90 5 bytes JMP 00000001001203a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077261490 5 bytes JMP 0000000100120b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772614f0 5 bytes JMP 0000000100120ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 000000010012163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077261810 5 bytes JMP 0000000100121284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007714eecd 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec56e00 5 bytes JMP 000007ff7ec71dac .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec56f2c 5 bytes JMP 000007ff7ec70ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec57220 5 bytes JMP 000007ff7ec71284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec5739c 5 bytes JMP 000007ff7ec7163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec57538 5 bytes JMP 000007ff7ec719f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec575e8 5 bytes JMP 000007ff7ec703a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec5790c 5 bytes JMP 000007ff7ec7075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4408] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec57ab4 5 bytes JMP 000007ff7ec70b14 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077233ae0 5 bytes JMP 000000010013075c .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077237a90 5 bytes JMP 00000001001303a4 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772613c0 5 bytes JMP 00000000773c0440 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077261410 5 bytes JMP 00000000773c0430 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077261490 5 bytes JMP 0000000100130b14 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772614f0 5 bytes JMP 0000000100130ecc .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772615c0 1 byte JMP 00000000773c0450 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772615d0 5 bytes JMP 000000010013163c .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077261680 5 bytes JMP 00000000773c0320 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772616b0 5 bytes JMP 00000000773c0380 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077261710 5 bytes JMP 00000000773c02e0 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077261760 5 bytes JMP 00000000773c0410 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077261790 5 bytes JMP 00000000773c02d0 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772617b0 5 bytes JMP 00000000773c0310 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772617f0 5 bytes JMP 00000000773c0390 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077261810 5 bytes JMP 0000000100131284 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077261840 5 bytes JMP 00000000773c03c0 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772619a0 1 byte JMP 00000000773c0230 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077261b60 5 bytes JMP 00000000773c0460 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077261b90 5 bytes JMP 00000000773c0370 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077261c70 5 bytes JMP 00000000773c02f0 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077261c80 5 bytes JMP 00000000773c0350 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077261ce0 5 bytes JMP 00000000773c0290 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077261d70 5 bytes JMP 00000000773c02b0 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077261d90 5 bytes JMP 00000000773c03a0 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077261da0 1 byte JMP 00000000773c0330 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077261da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077261e10 5 bytes JMP 00000000773c03e0 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077261e40 5 bytes JMP 00000000773c0240 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077262100 5 bytes JMP 00000000773c01e0 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772621c0 1 byte JMP 00000000773c0250 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772621f0 5 bytes JMP 00000000773c0470 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077262200 5 bytes JMP 00000000773c0480 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077262230 5 bytes JMP 00000000773c0300 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077262240 5 bytes JMP 00000000773c0360 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772622a0 5 bytes JMP 00000000773c02a0 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772622f0 5 bytes JMP 00000000773c02c0 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077262330 5 bytes JMP 00000000773c0340 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077262620 5 bytes JMP 00000000773c0420 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077262820 5 bytes JMP 00000000773c0260 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077262830 5 bytes JMP 00000000773c0270 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077262840 1 byte JMP 00000000773c03d0 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077262842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077262a00 5 bytes JMP 00000000773c01f0 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077262a10 5 bytes JMP 00000000773c0210 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077262a80 5 bytes JMP 00000000773c0200 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077262ae0 5 bytes JMP 00000000773c03f0 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077262af0 5 bytes JMP 00000000773c0400 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077262b00 5 bytes JMP 00000000773c0220 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077262be0 5 bytes JMP 00000000773c0280 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec56e00 5 bytes JMP 000007ff7ec71dac .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec56f2c 5 bytes JMP 000007ff7ec70ecc .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec57220 5 bytes JMP 000007ff7ec71284 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec5739c 5 bytes JMP 000007ff7ec7163c .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec57538 5 bytes JMP 000007ff7ec719f4 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec575e8 5 bytes JMP 000007ff7ec703a4 .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec5790c 5 bytes JMP 000007ff7ec7075c .text C:\Windows\system32\wuauclt.exe[4796] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec57ab4 5 bytes JMP 000007ff7ec70b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4528] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001001601f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4528] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 00000001001603fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4528] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 0000000100160804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4528] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 0000000100160600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4528] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 0000000100160a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4528] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 0000000100171014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4528] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 0000000100170804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4528] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 0000000100170a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4528] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 0000000100170c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4528] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 0000000100170e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4528] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 00000001001701f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4528] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 00000001001703fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4528] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 0000000100170600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075201465 2 bytes [20, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752014bb 2 bytes [20, 75] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [4528] entry point in ".rdata" section 0000000068d771e6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4588] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001005b01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4588] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 00000001005b03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4588] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 00000001005b0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4588] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 00000001005b0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4588] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 00000001005b0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4588] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 00000001005c1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4588] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 00000001005c0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4588] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 00000001005c0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4588] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 00000001005c0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4588] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 00000001005c0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4588] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 00000001005c01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4588] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 00000001005c03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4588] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 00000001005c0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075201465 2 bytes [20, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752014bb 2 bytes [20, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3700] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001010a01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3700] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 00000001010a03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3700] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 00000001010a0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3700] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 00000001010a0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3700] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 00000001010a0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3700] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 00000001010b1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3700] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 00000001010b0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3700] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 00000001010b0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3700] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 00000001010b0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3700] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 00000001010b0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3700] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 00000001010b01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3700] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 00000001010b03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3700] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 00000001010b0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075201465 2 bytes [20, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752014bb 2 bytes [20, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4512] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001010c01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4512] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 00000001010c03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4512] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 00000001010c0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4512] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 00000001010c0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4512] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 00000001010c0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 00000001011d1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 00000001011d0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 00000001011d0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 00000001011d0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 00000001011d0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 00000001011d01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 00000001011d03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 00000001011d0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075201465 2 bytes [20, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752014bb 2 bytes [20, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2116] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 0000000100ce01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2116] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 0000000100ce03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2116] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 0000000100ce0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2116] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 0000000100ce0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2116] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 0000000100ce0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2116] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 0000000100d31014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2116] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 0000000100d30804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2116] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 0000000100d30a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2116] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 0000000100d30c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2116] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 0000000100d30e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2116] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 0000000100d301f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2116] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 0000000100d303fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2116] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 0000000100d30600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075201465 2 bytes [20, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752014bb 2 bytes [20, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[848] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001007b01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[848] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 00000001007b03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[848] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 00000001007b0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[848] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 00000001007b0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[848] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 00000001007b0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[848] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 00000001007c1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[848] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 00000001007c0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[848] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 00000001007c0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[848] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 00000001007c0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[848] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 00000001007c0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[848] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 00000001007c01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[848] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 00000001007c03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[848] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 00000001007c0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075201465 2 bytes [20, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752014bb 2 bytes [20, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1352] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 0000000100e601f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1352] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 0000000100e603fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1352] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 0000000100e60804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1352] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 0000000100e60600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1352] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 0000000100e60a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1352] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 0000000100e71014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1352] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 0000000100e70804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1352] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 0000000100e70a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1352] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 0000000100e70c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1352] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 0000000100e70e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1352] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 0000000100e701f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1352] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 0000000100e703fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1352] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 0000000100e70600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1352] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075201465 2 bytes [20, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1352] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752014bb 2 bytes [20, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4664] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001005f01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4664] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 00000001005f03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4664] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 00000001005f0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4664] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 00000001005f0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4664] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 00000001005f0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4664] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 0000000100601014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4664] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 0000000100600804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4664] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 0000000100600a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4664] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 0000000100600c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4664] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 0000000100600e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4664] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 00000001006001f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4664] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 00000001006003fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4664] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 0000000100600600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075201465 2 bytes [20, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752014bb 2 bytes [20, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5016] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 0000000100d801f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5016] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 0000000100d803fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5016] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 0000000100d80804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5016] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 0000000100d80600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5016] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 0000000100d80a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5016] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 0000000100d91014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 0000000100d90804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 0000000100d90a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 0000000100d90c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 0000000100d90e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5016] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 0000000100d901f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5016] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 0000000100d903fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5016] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 0000000100d90600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075201465 2 bytes [20, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752014bb 2 bytes [20, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001007d01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 00000001007d03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 00000001007d0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 00000001007d0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 00000001007d0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 00000001007e1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 00000001007e0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 00000001007e0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 00000001007e0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 00000001007e0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 00000001007e01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 00000001007e03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 00000001007e0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075201465 2 bytes [20, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752014bb 2 bytes [20, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2420] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001009001f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2420] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 00000001009003fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2420] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 0000000100900804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2420] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 0000000100900600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2420] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 0000000100900a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2420] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 0000000100911014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2420] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 0000000100910804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2420] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 0000000100910a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2420] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 0000000100910c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2420] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 0000000100910e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2420] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 00000001009101f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2420] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 00000001009103fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2420] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 0000000100910600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075201465 2 bytes [20, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752014bb 2 bytes [20, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3940] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001008b01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3940] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 00000001008b03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3940] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 00000001008b0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3940] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 00000001008b0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3940] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 00000001008b0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3940] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 00000001008c1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3940] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 00000001008c0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3940] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 00000001008c0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3940] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 00000001008c0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3940] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 00000001008c0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3940] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 00000001008c01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3940] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 00000001008c03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3940] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 00000001008c0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075201465 2 bytes [20, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752014bb 2 bytes [20, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4600] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001006c01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4600] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 00000001006c03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4600] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 00000001006c0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4600] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 00000001006c0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4600] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 00000001006c0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 00000001006d1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 00000001006d0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 00000001006d0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 00000001006d0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 00000001006d0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 00000001006d01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 00000001006d03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 00000001006d0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075201465 2 bytes [20, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752014bb 2 bytes [20, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4760] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 00000001001e1014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4760] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 00000001001e0804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4760] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 00000001001e0a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4760] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 00000001001e0c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4760] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 00000001001e0e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4760] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 00000001001e01f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4760] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 00000001001e03fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4760] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 00000001001e0600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4760] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001001f01f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4760] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 00000001001f03fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4760] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 00000001001f0804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4760] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 00000001001f0600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4760] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 00000001001f0a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075201465 2 bytes [20, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752014bb 2 bytes [20, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3172] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001006a01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3172] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 3 bytes JMP 00000001006a03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3172] C:\Windows\syswow64\USER32.dll!UnhookWinEvent + 4 0000000075693986 1 byte [8B] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 00000001006a0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 00000001006a0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3172] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 00000001006a0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3172] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 00000001006b1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3172] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 00000001006b0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3172] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 00000001006b0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3172] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 00000001006b0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3172] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 00000001006b0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3172] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 00000001006b01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3172] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 00000001006b03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3172] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 00000001006b0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075201465 2 bytes [20, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752014bb 2 bytes [20, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5872] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001008801f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5872] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 00000001008803fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5872] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 0000000100880804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5872] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 0000000100880600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5872] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 0000000100880a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5872] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 0000000100891014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5872] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 0000000100890804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5872] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 0000000100890a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5872] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 0000000100890c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5872] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 0000000100890e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5872] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 00000001008901f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5872] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 00000001008903fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5872] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 0000000100890600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075201465 2 bytes [20, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752014bb 2 bytes [20, 75] .text ... * 2 .text G:\Downloads\0jxgrf2k.exe[3656] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076835181 5 bytes JMP 00000001002d1014 .text G:\Downloads\0jxgrf2k.exe[3656] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076835254 5 bytes JMP 00000001002d0804 .text G:\Downloads\0jxgrf2k.exe[3656] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768353d5 5 bytes JMP 00000001002d0a08 .text G:\Downloads\0jxgrf2k.exe[3656] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768354c2 5 bytes JMP 00000001002d0c0c .text G:\Downloads\0jxgrf2k.exe[3656] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768355e2 5 bytes JMP 00000001002d0e10 .text G:\Downloads\0jxgrf2k.exe[3656] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007683567c 5 bytes JMP 00000001002d01f8 .text G:\Downloads\0jxgrf2k.exe[3656] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007683589f 5 bytes JMP 00000001002d03fc .text G:\Downloads\0jxgrf2k.exe[3656] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076835a22 5 bytes JMP 00000001002d0600 .text G:\Downloads\0jxgrf2k.exe[3656] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007568ee09 5 bytes JMP 00000001002e01f8 .text G:\Downloads\0jxgrf2k.exe[3656] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075693982 5 bytes JMP 00000001002e03fc .text G:\Downloads\0jxgrf2k.exe[3656] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075697603 5 bytes JMP 00000001002e0804 .text G:\Downloads\0jxgrf2k.exe[3656] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007569835c 5 bytes JMP 00000001002e0600 .text G:\Downloads\0jxgrf2k.exe[3656] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756af52b 5 bytes JMP 00000001002e0a08 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3080:3212] 000007fefef10168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3080:3376] 000007fefb632a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3080:3384] 000007fef190d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3080:3392] 000007fef190d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3080:3584] 000007fef9085124 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3080:3164] 000007fef18a9730 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3080:2184] 000007fef190d618 Thread C:\Windows\System32\svchost.exe [4876:1444] 000007fee94f9688 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----