GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-05-10 11:34:51
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.PB3O 298,09GB
Running: gmer.exe; Driver: C:\Users\Sonka\AppData\Local\Temp\ugloypoc.sys


---- Kernel code sections - GMER 2.1 ----

.text   C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload                                                                                                             fffff88004a7bd64 12 bytes {MOV RAX, 0xfffffa8004e1a2a0; JMP RAX}

---- User code sections - GMER 2.1 ----

.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                       0000000077c413c0 5 bytes JMP 0000000149940440
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                0000000077c41410 5 bytes JMP 0000000149940430
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                     0000000077c415c0 1 byte JMP 0000000149940450
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                                 0000000077c415c2 3 bytes {JMP 0xffffffffd1cfee90}
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                           0000000077c415d0 5 bytes JMP 00000001499403b0
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                0000000077c41680 5 bytes JMP 0000000149940320
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                         0000000077c416b0 5 bytes JMP 0000000149940380
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                  0000000077c41710 5 bytes JMP 00000001499402e0
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                             0000000077c41760 5 bytes JMP 0000000149940410
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                0000000077c41790 5 bytes JMP 00000001499402d0
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                              0000000077c417b0 5 bytes JMP 0000000149940310
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                               0000000077c417f0 5 bytes JMP 0000000149940390
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                            0000000077c41840 5 bytes JMP 00000001499403c0
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                               0000000077c419a0 1 byte JMP 0000000149940230
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                           0000000077c419a2 3 bytes {JMP 0xffffffffd1cfe890}
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                    0000000077c41b60 5 bytes JMP 0000000149940460
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                   0000000077c41b90 5 bytes JMP 0000000149940370
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                            0000000077c41c70 5 bytes JMP 00000001499402f0
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                         0000000077c41c80 5 bytes JMP 0000000149940350
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                               0000000077c41ce0 5 bytes JMP 0000000149940290
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                            0000000077c41d70 5 bytes JMP 00000001499402b0
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                             0000000077c41d90 5 bytes JMP 00000001499403a0
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                0000000077c41da0 1 byte JMP 0000000149940330
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                            0000000077c41da2 3 bytes {JMP 0xffffffffd1cfe590}
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                         0000000077c41e10 5 bytes JMP 00000001499403e0
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                            0000000077c41e40 5 bytes JMP 0000000149940240
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                 0000000077c42100 5 bytes JMP 00000001499401e0
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                            0000000077c421c0 1 byte JMP 0000000149940250
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                        0000000077c421c2 3 bytes {JMP 0xffffffffd1cfe090}
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                            0000000077c421f0 5 bytes JMP 0000000149940470
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                   0000000077c42200 5 bytes JMP 0000000149940480
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                              0000000077c42230 5 bytes JMP 0000000149940300
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                           0000000077c42240 5 bytes JMP 0000000149940360
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                 0000000077c422a0 5 bytes JMP 00000001499402a0
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                              0000000077c422f0 5 bytes JMP 00000001499402c0
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                  0000000077c42330 5 bytes JMP 0000000149940340
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                           0000000077c42620 5 bytes JMP 0000000149940420
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                          0000000077c42820 5 bytes JMP 0000000149940260
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                             0000000077c42830 5 bytes JMP 0000000149940270
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                           0000000077c42840 1 byte JMP 00000001499403d0
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                       0000000077c42842 3 bytes {JMP 0xffffffffd1cfdb90}
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                       0000000077c42a00 5 bytes JMP 00000001499401f0
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                        0000000077c42a10 5 bytes JMP 0000000149940210
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                             0000000077c42a80 5 bytes JMP 0000000149940200
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                             0000000077c42ae0 5 bytes JMP 00000001499403f0
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                              0000000077c42af0 5 bytes JMP 0000000149940400
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                         0000000077c42b00 5 bytes JMP 0000000149940220
.text   C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                 0000000077c42be0 5 bytes JMP 0000000149940280
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                       0000000077c413c0 5 bytes JMP 0000000149940440
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                0000000077c41410 5 bytes JMP 0000000149940430
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                     0000000077c415c0 1 byte JMP 0000000149940450
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                                 0000000077c415c2 3 bytes {JMP 0xffffffffd1cfee90}
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                           0000000077c415d0 5 bytes JMP 00000001499403b0
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                0000000077c41680 5 bytes JMP 0000000149940320
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                         0000000077c416b0 5 bytes JMP 0000000149940380
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                  0000000077c41710 5 bytes JMP 00000001499402e0
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                             0000000077c41760 5 bytes JMP 0000000149940410
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                0000000077c41790 5 bytes JMP 00000001499402d0
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                              0000000077c417b0 5 bytes JMP 0000000149940310
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                               0000000077c417f0 5 bytes JMP 0000000149940390
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                            0000000077c41840 5 bytes JMP 00000001499403c0
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                               0000000077c419a0 1 byte JMP 0000000149940230
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                           0000000077c419a2 3 bytes {JMP 0xffffffffd1cfe890}
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                    0000000077c41b60 5 bytes JMP 0000000149940460
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                   0000000077c41b90 5 bytes JMP 0000000149940370
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                            0000000077c41c70 5 bytes JMP 00000001499402f0
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                         0000000077c41c80 5 bytes JMP 0000000149940350
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                               0000000077c41ce0 5 bytes JMP 0000000149940290
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                            0000000077c41d70 5 bytes JMP 00000001499402b0
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                             0000000077c41d90 5 bytes JMP 00000001499403a0
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                0000000077c41da0 1 byte JMP 0000000149940330
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                            0000000077c41da2 3 bytes {JMP 0xffffffffd1cfe590}
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                         0000000077c41e10 5 bytes JMP 00000001499403e0
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                            0000000077c41e40 5 bytes JMP 0000000149940240
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                 0000000077c42100 5 bytes JMP 00000001499401e0
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                            0000000077c421c0 1 byte JMP 0000000149940250
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                        0000000077c421c2 3 bytes {JMP 0xffffffffd1cfe090}
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                            0000000077c421f0 5 bytes JMP 0000000149940470
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                   0000000077c42200 5 bytes JMP 0000000149940480
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                              0000000077c42230 5 bytes JMP 0000000149940300
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                           0000000077c42240 5 bytes JMP 0000000149940360
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                 0000000077c422a0 5 bytes JMP 00000001499402a0
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                              0000000077c422f0 5 bytes JMP 00000001499402c0
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                  0000000077c42330 5 bytes JMP 0000000149940340
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                           0000000077c42620 5 bytes JMP 0000000149940420
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                          0000000077c42820 5 bytes JMP 0000000149940260
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                             0000000077c42830 5 bytes JMP 0000000149940270
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                           0000000077c42840 1 byte JMP 00000001499403d0
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                       0000000077c42842 3 bytes {JMP 0xffffffffd1cfdb90}
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                       0000000077c42a00 5 bytes JMP 00000001499401f0
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                        0000000077c42a10 5 bytes JMP 0000000149940210
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                             0000000077c42a80 5 bytes JMP 0000000149940200
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                             0000000077c42ae0 5 bytes JMP 00000001499403f0
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                              0000000077c42af0 5 bytes JMP 0000000149940400
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                         0000000077c42b00 5 bytes JMP 0000000149940220
.text   C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                 0000000077c42be0 5 bytes JMP 0000000149940280
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                     0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                              0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                   0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                               0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                         0000000077c415d0 5 bytes JMP 0000000077da03b0
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                              0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                       0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                           0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                              0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                            0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                             0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                          0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                             0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                         0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                  0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                 0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                          0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                       0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                             0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                          0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                           0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                              0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                          0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                       0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                          0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                               0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                          0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                      0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                          0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                 0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                            0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                         0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                               0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                            0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                         0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                        0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                           0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                         0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                     0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                     0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                      0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                           0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                           0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                            0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                       0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                               0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\system32\wininit.exe[544] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                    0000000077b2eecd 1 byte [62]
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                    0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                             0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                  0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                              0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                        0000000077c415d0 5 bytes JMP 0000000077da03b0
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                             0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                      0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                               0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                          0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                             0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                           0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                            0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                         0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                            0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                        0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                 0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                         0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                      0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                            0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                         0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                          0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                             0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                         0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                      0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                         0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                              0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                         0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                     0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                         0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                           0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                        0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                              0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                           0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                               0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                        0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                       0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                          0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                        0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                    0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                    0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                     0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                          0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                          0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                           0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                      0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                              0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\system32\winlogon.exe[592] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                   0000000077b2eecd 1 byte [62]
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                    0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                             0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                  0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                              0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                        0000000077c415d0 5 bytes JMP 0000000077da03b0
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                             0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                      0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                               0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                          0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                             0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                           0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                            0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                         0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                            0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                        0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                 0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                         0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                      0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                            0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                         0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                          0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                             0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                         0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                      0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                         0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                              0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                         0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                     0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                         0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                           0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                        0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                              0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                           0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                               0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                        0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                       0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                          0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                        0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                    0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                    0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                     0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                          0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                          0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                           0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                      0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                              0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\system32\services.exe[648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                   0000000077b2eecd 1 byte [62]
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                       0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                     0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                                 0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                           0000000077c415d0 5 bytes JMP 0000000077da03b0
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                         0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                  0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                             0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                              0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                               0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                            0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                               0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                           0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                    0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                   0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                            0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                         0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                               0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                            0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                             0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                            0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                         0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                            0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                 0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                            0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                        0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                            0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                   0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                              0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                           0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                 0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                              0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                  0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                           0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                          0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                             0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                           0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                       0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                       0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                        0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                             0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                             0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                              0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                         0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                 0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                         0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                  0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                       0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                                   0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                             0000000077c415d0 5 bytes JMP 0000000077da03b0
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                  0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                           0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                    0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                               0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                  0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                 0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                              0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                 0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                             0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                      0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                     0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                              0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                           0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                 0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                              0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                               0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                  0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                              0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                           0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                              0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                   0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                              0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                          0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                              0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                     0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                             0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                   0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                    0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                             0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                            0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                               0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                             0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                         0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                         0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                          0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                               0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                               0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                           0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                   0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                     0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                              0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                   0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                               0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                         0000000077c415d0 5 bytes JMP 0000000077da03b0
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                              0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                       0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                           0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                              0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                            0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                             0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                          0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                             0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                         0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                  0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                 0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                          0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                       0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                             0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                          0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                           0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                              0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                          0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                       0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                          0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                               0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                          0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                      0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                          0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                 0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                            0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                         0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                               0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                            0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                         0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                        0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                           0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                         0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                     0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                     0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                      0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                           0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                           0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                            0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                       0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                               0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\system32\svchost.exe[764] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                    0000000077b2eecd 1 byte [62]
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                     0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                              0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                   0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                               0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                         0000000077c415d0 5 bytes JMP 0000000077da03b0
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                              0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                       0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                           0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                              0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                            0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                             0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                          0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                             0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                         0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                  0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                 0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                          0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                       0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                             0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                          0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                           0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                              0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                          0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                       0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                          0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                               0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                          0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                      0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                          0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                 0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                            0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                         0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                               0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                            0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                         0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                        0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                           0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                         0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                     0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                     0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                      0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                           0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                           0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                            0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                       0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                               0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                     0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                              0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                   0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                               0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                         0000000077c415d0 5 bytes JMP 0000000077da03b0
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                              0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                       0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                           0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                              0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                            0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                             0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                          0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                             0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                         0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                  0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                 0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                          0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                       0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                             0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                          0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                           0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                              0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                          0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                       0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                          0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                               0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                          0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                      0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                          0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                 0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                            0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                         0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                               0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                            0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                         0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                        0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                           0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                         0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                     0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                     0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                      0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                           0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                           0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                            0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                       0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                               0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\System32\svchost.exe[944] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                    0000000077b2eecd 1 byte [62]
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                     0000000077c413c0 5 bytes JMP 0000000100070440
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                              0000000077c41410 5 bytes JMP 0000000100070430
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                   0000000077c415c0 1 byte JMP 0000000100070450
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                               0000000077c415c2 3 bytes {JMP 0xffffffff8842ee90}
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                         0000000077c415d0 5 bytes JMP 00000001000703b0
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                              0000000077c41680 5 bytes JMP 0000000100070320
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                       0000000077c416b0 5 bytes JMP 0000000100070380
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                0000000077c41710 5 bytes JMP 00000001000702e0
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                           0000000077c41760 5 bytes JMP 0000000100070410
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                              0000000077c41790 5 bytes JMP 00000001000702d0
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                            0000000077c417b0 5 bytes JMP 0000000100070310
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                             0000000077c417f0 5 bytes JMP 0000000100070390
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                          0000000077c41840 5 bytes JMP 00000001000703c0
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                             0000000077c419a0 1 byte JMP 0000000100070230
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                         0000000077c419a2 3 bytes {JMP 0xffffffff8842e890}
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                  0000000077c41b60 5 bytes JMP 0000000100070460
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                 0000000077c41b90 5 bytes JMP 0000000100070370
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                          0000000077c41c70 5 bytes JMP 00000001000702f0
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                       0000000077c41c80 5 bytes JMP 0000000100070350
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                             0000000077c41ce0 5 bytes JMP 0000000100070290
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                          0000000077c41d70 5 bytes JMP 00000001000702b0
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                           0000000077c41d90 5 bytes JMP 00000001000703a0
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                              0000000077c41da0 1 byte JMP 0000000100070330
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                          0000000077c41da2 3 bytes {JMP 0xffffffff8842e590}
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                       0000000077c41e10 5 bytes JMP 00000001000703e0
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                          0000000077c41e40 5 bytes JMP 0000000100070240
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                               0000000077c42100 5 bytes JMP 00000001000701e0
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                          0000000077c421c0 1 byte JMP 0000000100070250
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                      0000000077c421c2 3 bytes {JMP 0xffffffff8842e090}
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                          0000000077c421f0 5 bytes JMP 0000000100070470
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                 0000000077c42200 5 bytes JMP 0000000100070480
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                            0000000077c42230 5 bytes JMP 0000000100070300
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                         0000000077c42240 5 bytes JMP 0000000100070360
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                               0000000077c422a0 5 bytes JMP 00000001000702a0
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                            0000000077c422f0 5 bytes JMP 00000001000702c0
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                0000000077c42330 5 bytes JMP 0000000100070340
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                         0000000077c42620 5 bytes JMP 0000000100070420
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                        0000000077c42820 5 bytes JMP 0000000100070260
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                           0000000077c42830 5 bytes JMP 0000000100070270
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                         0000000077c42840 1 byte JMP 00000001000703d0
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                     0000000077c42842 3 bytes {JMP 0xffffffff8842db90}
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                     0000000077c42a00 5 bytes JMP 00000001000701f0
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                      0000000077c42a10 5 bytes JMP 0000000100070210
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                           0000000077c42a80 5 bytes JMP 0000000100070200
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                           0000000077c42ae0 5 bytes JMP 00000001000703f0
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                            0000000077c42af0 5 bytes JMP 0000000100070400
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                       0000000077c42b00 5 bytes JMP 0000000100070220
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                               0000000077c42be0 5 bytes JMP 0000000100070280
.text   C:\Windows\System32\svchost.exe[980] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                    0000000077b2eecd 1 byte [62]
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                    0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                             0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                  0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                              0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                        0000000077c415d0 5 bytes JMP 0000000077da03b0
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                             0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                      0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                               0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                          0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                             0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                           0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                            0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                         0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                            0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                        0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                 0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                         0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                      0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                            0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                         0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                          0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                             0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                         0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                      0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                         0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                              0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                         0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                     0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                         0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                           0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                        0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                              0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                           0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                               0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                        0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                       0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                          0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                        0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                    0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                    0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                     0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                          0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                          0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                           0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                      0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                              0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                   0000000077b2eecd 1 byte [62]
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                     0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                              0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                   0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                               0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                         0000000077c415d0 5 bytes JMP 0000000077da03b0
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                              0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                       0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                           0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                              0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                            0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                             0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                          0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                             0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                         0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                  0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                 0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                          0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                       0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                             0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                          0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                           0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                              0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                          0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                       0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                          0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                               0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                          0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                      0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                          0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                 0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                            0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                         0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                               0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                            0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                         0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                        0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                           0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                         0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                     0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                     0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                      0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                           0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                           0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                            0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                       0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                               0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\system32\AUDIODG.EXE[484] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189                                                                    0000000077b2eecd 1 byte [62]
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                     0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                              0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                   0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                               0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                         0000000077c415d0 5 bytes JMP 0000000077da03b0
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                              0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                       0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                           0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                              0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                            0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                             0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                          0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                             0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                         0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                  0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                 0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                          0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                       0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                             0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                          0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                           0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                              0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                          0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                       0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                          0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                               0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                          0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                      0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                          0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                 0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                            0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                         0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                               0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                            0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                         0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                        0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                           0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                         0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                     0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                     0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                      0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                           0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                           0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                            0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                       0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                               0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\system32\svchost.exe[752] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                    0000000077b2eecd 1 byte [62]
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                    0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                             0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                  0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                              0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                        0000000077c415d0 5 bytes JMP 0000000077da03b0
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                             0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                      0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                               0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                          0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                             0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                           0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                            0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                         0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                            0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                        0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                 0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                         0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                      0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                            0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                         0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                          0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                             0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                         0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                      0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                         0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                              0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                         0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                     0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                         0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                           0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                        0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                              0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                           0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                               0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                        0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                       0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                          0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                        0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                    0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                    0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                     0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                          0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                          0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                           0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                      0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                              0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\system32\svchost.exe[1084] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                   0000000077b2eecd 1 byte [62]
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                    0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                             0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                  0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                              0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                        0000000077c415d0 5 bytes JMP 0000000077da03b0
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                             0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                      0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                               0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                          0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                             0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                           0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                            0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                         0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                            0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                        0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                 0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                         0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                      0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                            0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                         0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                          0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                             0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                         0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                      0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                         0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                              0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                         0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                     0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                         0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                           0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                        0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                              0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                           0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                               0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                        0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                       0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                          0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                        0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                    0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                    0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                     0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                          0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                          0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                           0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                      0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                              0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\system32\svchost.exe[1448] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                   0000000077b2eecd 1 byte [62]
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                    0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                             0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                  0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                              0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                        0000000077c415d0 5 bytes JMP 0000000077da03b0
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                             0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                      0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                               0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                          0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                             0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                           0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                            0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                         0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                            0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                        0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                 0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                         0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                      0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                            0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                         0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                          0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                             0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                         0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                      0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                         0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                              0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                         0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                     0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                         0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                           0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                        0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                              0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                           0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                               0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                        0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                       0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                          0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                        0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                    0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                    0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                     0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                          0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                          0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                           0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                      0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                              0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\system32\FBAgent.exe[1496] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                   0000000077b2eecd 1 byte [62]
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1536] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                               0000000075cfa30a 1 byte [62]
.text   C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1568] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                            0000000075cfa30a 1 byte [62]
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                        0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                 0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                      0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                                  0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                            0000000077c415d0 5 bytes JMP 0000000077da03b0
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                 0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                          0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                   0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                              0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                 0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                               0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                             0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                            0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                     0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                    0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                             0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                          0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                             0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                              0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                 0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                             0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                          0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                             0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                  0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                             0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                         0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                             0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                    0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                               0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                            0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                  0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                               0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                   0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                            0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                           0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                              0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                            0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                        0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                        0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                         0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                              0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                              0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                               0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                          0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                  0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\system32\Dwm.exe[1704] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                       0000000077b2eecd 1 byte [62]
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                            0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                     0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                          0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                                      0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                0000000077c415d0 5 bytes JMP 0000000077da03b0
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                     0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                              0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                       0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                                  0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                     0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                   0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                    0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                 0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                    0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                                0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                         0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                        0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                 0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                              0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                    0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                 0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                  0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                     0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                                 0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                              0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                 0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                      0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                 0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                             0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                 0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                        0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                   0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                      0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                   0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                       0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                               0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                  0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                            0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                            0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                             0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                  0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                  0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                   0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                              0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                      0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\Explorer.EXE[1712] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                           0000000077b2eecd 1 byte [62]
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1776] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                               0000000075cfa30a 1 byte [62]
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                    0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                             0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                  0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                              0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                        0000000077c415d0 5 bytes JMP 0000000077da03b0
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                             0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                      0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                               0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                          0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                             0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                           0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                            0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                         0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                            0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                        0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                 0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                         0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                      0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                            0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                         0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                          0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                             0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                         0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                      0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                         0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                              0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                         0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                     0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                         0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                           0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                        0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                              0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                           0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                               0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                        0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                       0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                          0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                        0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                    0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                    0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                     0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                          0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                          0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                           0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                      0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                              0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\System32\spoolsv.exe[1868] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                   0000000077b2eecd 1 byte [62]
.text   C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe[1972] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112  0000000075cfa30a 1 byte [62]
.text   C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE[2016] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                0000000075cfa30a 1 byte [62]
.text   C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2044] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                              0000000075cfa30a 1 byte [62]
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                            0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                     0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                          0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                      0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                0000000077c415d0 5 bytes JMP 0000000077da03b0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                     0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                              0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                       0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                  0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                     0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                   0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                    0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                 0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                    0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                         0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                        0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                 0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                              0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                    0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                 0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                  0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                     0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                 0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                              0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                 0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                      0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                 0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                             0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                 0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                        0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                   0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                      0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                   0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                       0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                               0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                  0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                            0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                            0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                             0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                  0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                  0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                   0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                              0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                      0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1160] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                           0000000077b2eecd 1 byte [62]
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                    0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                             0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                  0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                              0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                        0000000077c415d0 5 bytes JMP 0000000077da03b0
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                             0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                      0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                               0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                          0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                             0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                           0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                            0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                         0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                            0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                        0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                 0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                         0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                      0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                            0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                         0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                          0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                             0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                         0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                      0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                         0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                              0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                         0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                     0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                         0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                           0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                        0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                              0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                           0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                               0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                        0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                       0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                          0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                        0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                    0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                    0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                     0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                          0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                          0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                           0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                      0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                              0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\system32\svchost.exe[1404] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                   0000000077b2eecd 1 byte [62]
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                    0000000077defaa0 5 bytes JMP 0000000100030600
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                        0000000077defb38 5 bytes JMP 0000000100030804
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                         0000000077defc90 5 bytes JMP 0000000100030c0c
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                     0000000077df0018 5 bytes JMP 0000000100030a08
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                 0000000077e0c45a 5 bytes JMP 00000001000301f8
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                               0000000077e11217 5 bytes JMP 00000001000303fc
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                    0000000075cfa30a 1 byte [62]
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                 0000000076075181 5 bytes JMP 0000000100091014
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                     0000000076075254 5 bytes JMP 0000000100090804
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                     00000000760753d5 5 bytes JMP 0000000100090a08
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                    00000000760754c2 5 bytes JMP 0000000100090c0c
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                    00000000760755e2 5 bytes JMP 0000000100090e10
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                           000000007607567c 5 bytes JMP 00000001000901f8
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                           000000007607589f 5 bytes JMP 00000001000903fc
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\SysWOW64\sechost.dll!DeleteService                            0000000076075a22 5 bytes JMP 0000000100090600
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\syswow64\USER32.dll!SetWinEventHook                           000000007712ee09 5 bytes JMP 00000001001501f8
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                            0000000077133982 5 bytes JMP 00000001001503fc
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                         0000000077137603 5 bytes JMP 0000000100150804
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                         000000007713835c 5 bytes JMP 0000000100150600
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                       000000007714f52b 3 bytes JMP 0000000100150a08
.text   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2444] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx + 4                   000000007714f52f 1 byte [89]
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                 0000000077defaa0 5 bytes JMP 0000000100030600
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                     0000000077defb38 5 bytes JMP 0000000100030804
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                      0000000077defc90 5 bytes JMP 0000000100030c0c
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                  0000000077df0018 5 bytes JMP 0000000100030a08
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                              0000000077e0c45a 5 bytes JMP 00000001000301f8
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                            0000000077e11217 5 bytes JMP 00000001000303fc
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                 0000000075cfa30a 1 byte [62]
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                        000000007712ee09 5 bytes JMP 00000001001001f8
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                         0000000077133982 5 bytes JMP 00000001001003fc
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                      0000000077137603 5 bytes JMP 0000000100100804
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                      000000007713835c 5 bytes JMP 0000000100100600
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                    000000007714f52b 5 bytes JMP 0000000100100a08
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                              0000000076075181 5 bytes JMP 0000000100111014
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                  0000000076075254 5 bytes JMP 0000000100110804
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                  00000000760753d5 5 bytes JMP 0000000100110a08
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                 00000000760754c2 5 bytes JMP 0000000100110c0c
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                 00000000760755e2 5 bytes JMP 0000000100110e10
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                        000000007607567c 5 bytes JMP 00000001001101f8
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                        000000007607589f 5 bytes JMP 00000001001103fc
.text   C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2524] C:\Windows\SysWOW64\sechost.dll!DeleteService                                         0000000076075a22 5 bytes JMP 0000000100110600
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                              0000000077c13ae0 5 bytes JMP 000000010026075c
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                0000000077c17a90 5 bytes JMP 00000001002603a4
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                    0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                             0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                                   0000000077c41490 5 bytes JMP 0000000100260b14
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                       0000000077c414f0 5 bytes JMP 0000000100260ecc
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                  0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                              0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                        0000000077c415d0 5 bytes JMP 000000010026163c
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                             0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                      0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                               0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                          0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                             0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                           0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                            0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                                    0000000077c41810 5 bytes JMP 0000000100261284
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                         0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                            0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                        0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                 0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                         0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                      0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                            0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                         0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                          0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                             0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                         0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                      0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                         0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                              0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                         0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                     0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                         0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                           0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                        0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                              0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                           0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                               0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                        0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                       0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                          0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                        0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                    0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                    0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                     0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                          0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                          0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                           0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                      0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                              0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                                   0000000077b2eecd 1 byte [62]
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                                000007feffee6e00 5 bytes JMP 000007ff7ff01dac
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                    000007feffee6f2c 5 bytes JMP 000007ff7ff00ecc
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                    000007feffee7220 5 bytes JMP 000007ff7ff01284
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                                   000007feffee739c 5 bytes JMP 000007ff7ff0163c
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                                   000007feffee7538 5 bytes JMP 000007ff7ff019f4
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                          000007feffee75e8 5 bytes JMP 000007ff7ff003a4
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                          000007feffee790c 5 bytes JMP 000007ff7ff0075c
.text   C:\Windows\System32\svchost.exe[2548] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                           000007feffee7ab4 5 bytes JMP 000007ff7ff00b14
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                                                           0000000077defaa0 5 bytes JMP 0000000100230600
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                                               0000000077defb38 5 bytes JMP 0000000100230804
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                0000000077defc90 5 bytes JMP 0000000100230c0c
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                            0000000077df0018 5 bytes JMP 0000000100230a08
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                                        0000000077e0c45a 5 bytes JMP 00000001002301f8
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                      0000000077e11217 5 bytes JMP 00000001002303fc
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                                                           0000000075cfa30a 1 byte [62]
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                                                        0000000076075181 5 bytes JMP 0000000100241014
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                                            0000000076075254 5 bytes JMP 0000000100240804
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                                            00000000760753d5 5 bytes JMP 0000000100240a08
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                                           00000000760754c2 5 bytes JMP 0000000100240c0c
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                                           00000000760755e2 5 bytes JMP 0000000100240e10
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                                                  000000007607567c 5 bytes JMP 00000001002401f8
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                                                  000000007607589f 5 bytes JMP 00000001002403fc
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                                                   0000000076075a22 5 bytes JMP 0000000100240600
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                  000000007712ee09 5 bytes JMP 00000001002501f8
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                                                   0000000077133982 5 bytes JMP 00000001002503fc
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                0000000077137603 5 bytes JMP 0000000100250804
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                000000007713835c 5 bytes JMP 0000000100250600
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                                              000000007714f52b 5 bytes JMP 0000000100250a08
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                         0000000077101465 2 bytes [10, 77]
.text   C:\Windows\AsScrPro.exe[3040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                        00000000771014bb 2 bytes [10, 77]
.text   ...                                                                                                                                                           * 2
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                             0000000077defaa0 5 bytes JMP 0000000100030600
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                 0000000077defb38 5 bytes JMP 0000000100030804
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                  0000000077defc90 5 bytes JMP 0000000100030c0c
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                              0000000077df0018 5 bytes JMP 0000000100030a08
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                          0000000077e0c45a 5 bytes JMP 00000001000301f8
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                        0000000077e11217 5 bytes JMP 00000001000303fc
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                             0000000075cfa30a 1 byte [62]
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                    000000007712ee09 5 bytes JMP 00000001002401f8
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                     0000000077133982 5 bytes JMP 00000001002403fc
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                  0000000077137603 5 bytes JMP 0000000100240804
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                  000000007713835c 5 bytes JMP 0000000100240600
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                000000007714f52b 5 bytes JMP 0000000100240a08
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                          0000000076075181 5 bytes JMP 0000000100251014
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                              0000000076075254 5 bytes JMP 0000000100250804
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                              00000000760753d5 5 bytes JMP 0000000100250a08
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                             00000000760754c2 5 bytes JMP 0000000100250c0c
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                             00000000760755e2 5 bytes JMP 0000000100250e10
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                    000000007607567c 5 bytes JMP 00000001002501f8
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                    000000007607589f 5 bytes JMP 00000001002503fc
.text   C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3056] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                     0000000076075a22 5 bytes JMP 0000000100250600
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                              0000000077c13ae0 5 bytes JMP 000000010042075c
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                0000000077c17a90 5 bytes JMP 00000001004203a4
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                    0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                             0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                   0000000077c41490 5 bytes JMP 0000000100420b14
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                       0000000077c414f0 5 bytes JMP 0000000100420ecc
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                  0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                              0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                        0000000077c415d0 5 bytes JMP 000000010042163c
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                             0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                      0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                               0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                          0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                             0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                           0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                            0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                    0000000077c41810 5 bytes JMP 0000000100421284
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                         0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                            0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                        0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                 0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                         0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                      0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                            0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                         0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                          0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                             0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                         0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                      0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                         0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                              0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                         0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                     0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                         0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                           0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                        0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                              0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                           0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                               0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                        0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                       0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                          0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                        0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                    0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                    0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                     0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                          0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                          0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                           0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                      0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                              0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                   0000000077b2eecd 1 byte [62]
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                000007feffee6e00 5 bytes JMP 000007ff7ff01dac
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                    000007feffee6f2c 5 bytes JMP 000007ff7ff00ecc
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                    000007feffee7220 5 bytes JMP 000007ff7ff01284
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                   000007feffee739c 5 bytes JMP 000007ff7ff0163c
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                   000007feffee7538 5 bytes JMP 000007ff7ff019f4
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                          000007feffee75e8 5 bytes JMP 000007ff7ff003a4
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                          000007feffee790c 5 bytes JMP 000007ff7ff0075c
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2292] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                           000007feffee7ab4 5 bytes JMP 000007ff7ff00b14
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                0000000077defaa0 5 bytes JMP 0000000100030600
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                    0000000077defb38 5 bytes JMP 0000000100030804
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                     0000000077defc90 5 bytes JMP 0000000100030c0c
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                 0000000077df0018 5 bytes JMP 0000000100030a08
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                             0000000077e0c45a 5 bytes JMP 00000001000301f8
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                           0000000077e11217 5 bytes JMP 00000001000303fc
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                0000000075cfa30a 1 byte [62]
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                       000000007712ee09 5 bytes JMP 00000001002401f8
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                        0000000077133982 5 bytes JMP 00000001002403fc
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                     0000000077137603 5 bytes JMP 0000000100240804
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                     000000007713835c 5 bytes JMP 0000000100240600
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                   000000007714f52b 5 bytes JMP 0000000100240a08
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                             0000000076075181 5 bytes JMP 0000000100251014
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                 0000000076075254 5 bytes JMP 0000000100250804
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                 00000000760753d5 5 bytes JMP 0000000100250a08
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                00000000760754c2 5 bytes JMP 0000000100250c0c
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                00000000760755e2 5 bytes JMP 0000000100250e10
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                       000000007607567c 5 bytes JMP 00000001002501f8
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                       000000007607589f 5 bytes JMP 00000001002503fc
.text   C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1764] C:\Windows\SysWOW64\sechost.dll!DeleteService                                        0000000076075a22 5 bytes JMP 0000000100250600
.text   C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                                000007feffee6e00 5 bytes JMP 000007ff7ff01dac
.text   C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                    000007feffee6f2c 5 bytes JMP 000007ff7ff00ecc
.text   C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                    000007feffee7220 5 bytes JMP 000007ff7ff01284
.text   C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                                   000007feffee739c 5 bytes JMP 000007ff7ff0163c
.text   C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                                   000007feffee7538 5 bytes JMP 000007ff7ff019f4
.text   C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                          000007feffee75e8 5 bytes JMP 000007ff7ff003a4
.text   C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                          000007feffee790c 5 bytes JMP 000007ff7ff0075c
.text   C:\Windows\system32\svchost.exe[2928] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                           000007feffee7ab4 5 bytes JMP 000007ff7ff00b14
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                        0000000077c13ae0 5 bytes JMP 00000001002e075c
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                          0000000077c17a90 5 bytes JMP 00000001002e03a4
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                              0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                       0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                             0000000077c41490 5 bytes JMP 00000001002e0b14
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                 0000000077c414f0 5 bytes JMP 00000001002e0ecc
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                            0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                        0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                  0000000077c415d0 5 bytes JMP 00000001002e163c
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                       0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                         0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                    0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                       0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                     0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                      0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                              0000000077c41810 5 bytes JMP 00000001002e1284
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                   0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                      0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                  0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                           0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                          0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                   0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                      0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                   0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                    0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                       0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                   0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                   0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                        0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                   0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                               0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                   0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                          0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                     0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                  0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                        0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                     0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                         0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                  0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                 0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                    0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                  0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                              0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                              0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                               0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                    0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                    0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                     0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                        0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                             0000000077b2eecd 1 byte [62]
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                          000007feffee6e00 5 bytes JMP 000007ff7ff01dac
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                              000007feffee6f2c 5 bytes JMP 000007ff7ff00ecc
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                              000007feffee7220 5 bytes JMP 000007ff7ff01284
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                             000007feffee739c 5 bytes JMP 000007ff7ff0163c
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                             000007feffee7538 5 bytes JMP 000007ff7ff019f4
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                    000007feffee75e8 5 bytes JMP 000007ff7ff003a4
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                    000007feffee790c 5 bytes JMP 000007ff7ff0075c
.text   C:\Program Files\Elantech\ETDCtrl.exe[1332] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                     000007feffee7ab4 5 bytes JMP 000007ff7ff00b14
.text   C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                        0000000077c13ae0 5 bytes JMP 00000001003b075c
.text   C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                          0000000077c17a90 5 bytes JMP 00000001003b03a4
.text   C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                             0000000077c41490 5 bytes JMP 00000001003b0b14
.text   C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                 0000000077c414f0 5 bytes JMP 00000001003b0ecc
.text   C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                  0000000077c415d0 5 bytes JMP 00000001003b163c
.text   C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                              0000000077c41810 5 bytes JMP 00000001003b1284
.text   C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[1940] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                             0000000077b2eecd 1 byte [62]
.text   C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[1940] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                          000007feffee6e00 5 bytes JMP 000007ff7ff01dac
.text   C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[1940] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                              000007feffee6f2c 5 bytes JMP 000007ff7ff00ecc
.text   C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[1940] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                              000007feffee7220 5 bytes JMP 000007ff7ff01284
.text   C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[1940] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                             000007feffee739c 5 bytes JMP 000007ff7ff0163c
.text   C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[1940] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                             000007feffee7538 5 bytes JMP 000007ff7ff019f4
.text   C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[1940] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                    000007feffee75e8 5 bytes JMP 000007ff7ff003a4
.text   C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[1940] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                    000007feffee790c 5 bytes JMP 000007ff7ff0075c
.text   C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[1940] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                     000007feffee7ab4 5 bytes JMP 000007ff7ff00b14
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                        0000000077c13ae0 5 bytes JMP 000000010047075c
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                          0000000077c17a90 5 bytes JMP 00000001004703a4
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                              0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                       0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                             0000000077c41490 5 bytes JMP 0000000100470b14
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                 0000000077c414f0 5 bytes JMP 0000000100470ecc
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                            0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                        0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                  0000000077c415d0 5 bytes JMP 000000010047163c
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                       0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                         0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                    0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                       0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                     0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                      0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                              0000000077c41810 5 bytes JMP 0000000100471284
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                   0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                      0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                  0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                           0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                          0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                   0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                      0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                   0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                    0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                       0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                   0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                   0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                        0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                   0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                               0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                   0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                          0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                     0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                  0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                        0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                     0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                         0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                  0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                 0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                    0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                  0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                              0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                              0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                               0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                    0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                    0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                     0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                        0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                             0000000077b2eecd 1 byte [62]
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                          000007feffee6e00 5 bytes JMP 000007ff7ff01dac
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                              000007feffee6f2c 5 bytes JMP 000007ff7ff00ecc
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                              000007feffee7220 5 bytes JMP 000007ff7ff01284
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                             000007feffee739c 5 bytes JMP 000007ff7ff0163c
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                             000007feffee7538 5 bytes JMP 000007ff7ff019f4
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                    000007feffee75e8 5 bytes JMP 000007ff7ff003a4
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                    000007feffee790c 5 bytes JMP 000007ff7ff0075c
.text   C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[148] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                     000007feffee7ab4 5 bytes JMP 000007ff7ff00b14
.text   C:\Windows\System32\igfxtray.exe[840] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                              0000000077c13ae0 5 bytes JMP 000000010024075c
.text   C:\Windows\System32\igfxtray.exe[840] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                0000000077c17a90 5 bytes JMP 00000001002403a4
.text   C:\Windows\System32\igfxtray.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                                   0000000077c41490 5 bytes JMP 0000000100240b14
.text   C:\Windows\System32\igfxtray.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                       0000000077c414f0 5 bytes JMP 0000000100240ecc
.text   C:\Windows\System32\igfxtray.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                        0000000077c415d0 5 bytes JMP 000000010024163c
.text   C:\Windows\System32\igfxtray.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                                    0000000077c41810 5 bytes JMP 0000000100241284
.text   C:\Windows\System32\igfxtray.exe[840] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                                   0000000077b2eecd 1 byte [62]
.text   C:\Windows\System32\igfxtray.exe[840] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                                000007feffee6e00 5 bytes JMP 000007ff7ff01dac
.text   C:\Windows\System32\igfxtray.exe[840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                    000007feffee6f2c 5 bytes JMP 000007ff7ff00ecc
.text   C:\Windows\System32\igfxtray.exe[840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                    000007feffee7220 5 bytes JMP 000007ff7ff01284
.text   C:\Windows\System32\igfxtray.exe[840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                                   000007feffee739c 5 bytes JMP 000007ff7ff0163c
.text   C:\Windows\System32\igfxtray.exe[840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                                   000007feffee7538 5 bytes JMP 000007ff7ff019f4
.text   C:\Windows\System32\igfxtray.exe[840] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                          000007feffee75e8 5 bytes JMP 000007ff7ff003a4
.text   C:\Windows\System32\igfxtray.exe[840] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                          000007feffee790c 5 bytes JMP 000007ff7ff0075c
.text   C:\Windows\System32\igfxtray.exe[840] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                           000007feffee7ab4 5 bytes JMP 000007ff7ff00b14
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                0000000077c13ae0 5 bytes JMP 00000001002e075c
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                  0000000077c17a90 5 bytes JMP 00000001002e03a4
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                      0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                               0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                                     0000000077c41490 5 bytes JMP 00000001002e0b14
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                         0000000077c414f0 5 bytes JMP 00000001002e0ecc
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                    0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                                0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                          0000000077c415d0 5 bytes JMP 00000001002e163c
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                               0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                        0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                 0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                            0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                               0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                             0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                              0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                                      0000000077c41810 5 bytes JMP 00000001002e1284
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                           0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                              0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                          0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                   0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                  0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                           0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                        0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                              0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                           0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                            0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                               0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                           0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                        0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                           0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                           0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                       0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                           0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                  0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                             0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                          0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                             0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                 0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                          0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                         0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                            0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                          0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                      0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                      0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                       0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                            0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                            0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                             0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                        0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                                     0000000077b2eecd 1 byte [62]
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                                  000007feffee6e00 5 bytes JMP 000007ff7ff01dac
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                      000007feffee6f2c 5 bytes JMP 000007ff7ff00ecc
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                      000007feffee7220 5 bytes JMP 000007ff7ff01284
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                                     000007feffee739c 5 bytes JMP 000007ff7ff0163c
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                                     000007feffee7538 5 bytes JMP 000007ff7ff019f4
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                            000007feffee75e8 5 bytes JMP 000007ff7ff003a4
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                            000007feffee790c 5 bytes JMP 000007ff7ff0075c
.text   C:\Windows\System32\hkcmd.exe[2308] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                             000007feffee7ab4 5 bytes JMP 000007ff7ff00b14
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                              0000000077c13ae0 5 bytes JMP 000000010041075c
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                0000000077c17a90 5 bytes JMP 00000001004103a4
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                    0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                             0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                                   0000000077c41490 5 bytes JMP 0000000100410b14
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                       0000000077c414f0 5 bytes JMP 0000000100410ecc
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                  0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                              0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                        0000000077c415d0 5 bytes JMP 000000010041163c
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                             0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                      0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                               0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                          0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                             0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                           0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                            0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                                    0000000077c41810 5 bytes JMP 0000000100411284
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                         0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                            0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                        0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                 0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                         0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                      0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                            0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                         0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                          0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                             0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                         0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                      0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                         0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                              0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                         0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                                     0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                         0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                           0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                        0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                              0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                           0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                               0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                        0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                       0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                          0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                        0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                                    0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                    0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                     0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                          0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                          0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                           0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                      0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                              0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                                   0000000077b2eecd 1 byte [62]
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                                000007feffee6e00 5 bytes JMP 000007ff7ff01dac
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                    000007feffee6f2c 5 bytes JMP 000007ff7ff00ecc
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                    000007feffee7220 5 bytes JMP 000007ff7ff01284
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                                   000007feffee739c 5 bytes JMP 000007ff7ff0163c
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                                   000007feffee7538 5 bytes JMP 000007ff7ff019f4
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                          000007feffee75e8 5 bytes JMP 000007ff7ff003a4
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                          000007feffee790c 5 bytes JMP 000007ff7ff0075c
.text   C:\Windows\System32\igfxpers.exe[388] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                           000007feffee7ab4 5 bytes JMP 000007ff7ff00b14
.text   C:\Windows\WindowsMobile\wmdc.exe[2376] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                              000007feffee6e00 5 bytes JMP 000007ff7ff01dac
.text   C:\Windows\WindowsMobile\wmdc.exe[2376] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                  000007feffee6f2c 5 bytes JMP 000007ff7ff00ecc
.text   C:\Windows\WindowsMobile\wmdc.exe[2376] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                  000007feffee7220 5 bytes JMP 000007ff7ff01284
.text   C:\Windows\WindowsMobile\wmdc.exe[2376] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                                 000007feffee739c 5 bytes JMP 000007ff7ff0163c
.text   C:\Windows\WindowsMobile\wmdc.exe[2376] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                                 000007feffee7538 5 bytes JMP 000007ff7ff019f4
.text   C:\Windows\WindowsMobile\wmdc.exe[2376] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                        000007feffee75e8 5 bytes JMP 000007ff7ff003a4
.text   C:\Windows\WindowsMobile\wmdc.exe[2376] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                        000007feffee790c 5 bytes JMP 000007ff7ff0075c
.text   C:\Windows\WindowsMobile\wmdc.exe[2376] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                         000007feffee7ab4 5 bytes JMP 000007ff7ff00b14
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                 0000000077c13ae0 5 bytes JMP 00000001001a075c
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                   0000000077c17a90 5 bytes JMP 00000001001a03a4
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                       0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                      0000000077c41490 5 bytes JMP 00000001001a0b14
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                          0000000077c414f0 5 bytes JMP 00000001001a0ecc
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                     0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                 0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                           0000000077c415d0 5 bytes JMP 00000001001a163c
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                         0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                  0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                             0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                              0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                               0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                       0000000077c41810 5 bytes JMP 00000001001a1284
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                            0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                               0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                           0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                    0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                   0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                            0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                         0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                               0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                            0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                             0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                            0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                         0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                            0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                 0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                            0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                        0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                            0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                   0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                              0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                           0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                 0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                              0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                  0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                           0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                          0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                             0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                           0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                       0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                       0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                        0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                             0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                             0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                              0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                         0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                 0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                      0000000077b2eecd 1 byte [62]
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                   000007feffee6e00 5 bytes JMP 000007ff7ff01dac
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                       000007feffee6f2c 5 bytes JMP 000007ff7ff00ecc
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                       000007feffee7220 5 bytes JMP 000007ff7ff01284
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                      000007feffee739c 5 bytes JMP 000007ff7ff0163c
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                      000007feffee7538 5 bytes JMP 000007ff7ff019f4
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                             000007feffee75e8 5 bytes JMP 000007ff7ff003a4
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                             000007feffee790c 5 bytes JMP 000007ff7ff0075c
.text   C:\Program Files\Windows Sidebar\sidebar.exe[3080] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                              000007feffee7ab4 5 bytes JMP 000007ff7ff00b14
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                  0000000077defaa0 5 bytes JMP 0000000100030600
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                      0000000077defb38 5 bytes JMP 0000000100030804
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                       0000000077defc90 5 bytes JMP 0000000100030c0c
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                   0000000077df0018 5 bytes JMP 0000000100030a08
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                               0000000077e0c45a 5 bytes JMP 00000001000301f8
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                             0000000077e11217 5 bytes JMP 00000001000303fc
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                  0000000075cfa30a 1 byte [62]
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                         000000007712ee09 5 bytes JMP 00000001002401f8
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                          0000000077133982 5 bytes JMP 00000001002403fc
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                       0000000077137603 5 bytes JMP 0000000100240804
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                       000000007713835c 5 bytes JMP 0000000100240600
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                     000000007714f52b 5 bytes JMP 0000000100240a08
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                               0000000076075181 5 bytes JMP 0000000100251014
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                   0000000076075254 5 bytes JMP 0000000100250804
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                   00000000760753d5 5 bytes JMP 0000000100250a08
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                  00000000760754c2 5 bytes JMP 0000000100250c0c
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                  00000000760755e2 5 bytes JMP 0000000100250e10
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                         000000007607567c 5 bytes JMP 00000001002501f8
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                         000000007607589f 5 bytes JMP 00000001002503fc
.text   C:\Program Files (x86)\BlazeVideo\BlazeDTV 6.0\MediaDetector.exe[3156] C:\Windows\SysWOW64\sechost.dll!DeleteService                                          0000000076075a22 5 bytes JMP 0000000100250600
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                       0000000077c13ae0 5 bytes JMP 000000010039075c
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                         0000000077c17a90 5 bytes JMP 00000001003903a4
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                             0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                      0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                            0000000077c41490 5 bytes JMP 0000000100390b14
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                0000000077c414f0 5 bytes JMP 0000000100390ecc
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                           0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                       0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                 0000000077c415d0 5 bytes JMP 000000010039163c
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                      0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                               0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                        0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                   0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                      0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                    0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                     0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                             0000000077c41810 5 bytes JMP 0000000100391284
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                  0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                     0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                 0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                          0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                         0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                  0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                               0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                     0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                  0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                   0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                      0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                  0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                               0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                  0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                       0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                  0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                              0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                  0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                         0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                    0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                 0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                       0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                    0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                        0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                 0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                   0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                 0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                             0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                             0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                              0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                   0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                   0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                    0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                               0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                       0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                            0000000077b2eecd 1 byte [62]
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                         000007feffee6e00 5 bytes JMP 000007ff7ff01dac
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                             000007feffee6f2c 5 bytes JMP 000007ff7ff00ecc
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                             000007feffee7220 5 bytes JMP 000007ff7ff01284
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                            000007feffee739c 5 bytes JMP 000007ff7ff0163c
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                            000007feffee7538 5 bytes JMP 000007ff7ff019f4
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                   000007feffee75e8 5 bytes JMP 000007ff7ff003a4
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                   000007feffee790c 5 bytes JMP 000007ff7ff0075c
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3200] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                    000007feffee7ab4 5 bytes JMP 000007ff7ff00b14
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                             0000000077c13ae0 5 bytes JMP 000000010032075c
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                               0000000077c17a90 5 bytes JMP 00000001003203a4
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                   0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                            0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                  0000000077c41490 5 bytes JMP 0000000100320b14
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                      0000000077c414f0 5 bytes JMP 0000000100320ecc
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                 0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2             0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                       0000000077c415d0 5 bytes JMP 000000010032163c
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                            0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                     0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                              0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                         0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                            0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                          0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                           0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                   0000000077c41810 5 bytes JMP 0000000100321284
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                        0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                           0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                       0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject               0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                        0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                     0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                           0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                        0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                         0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                            0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                        0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                     0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                        0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                             0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                        0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                    0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                        0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys               0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                          0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                       0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                             0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                          0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                              0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                       0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                      0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                         0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                       0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                   0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                   0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                    0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                         0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                         0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                          0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                     0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                             0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity               000007feffee6e00 5 bytes JMP 000007ff7ff01dac
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                   000007feffee6f2c 5 bytes JMP 000007ff7ff00ecc
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                   000007feffee7220 5 bytes JMP 000007ff7ff01284
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                  000007feffee739c 5 bytes JMP 000007ff7ff0163c
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                  000007feffee7538 5 bytes JMP 000007ff7ff019f4
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                         000007feffee75e8 5 bytes JMP 000007ff7ff003a4
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                         000007feffee790c 5 bytes JMP 000007ff7ff0075c
.text   C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3480] C:\Windows\SYSTEM32\sechost.dll!DeleteService                          000007feffee7ab4 5 bytes JMP 000007ff7ff00b14
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                           0000000077defaa0 5 bytes JMP 0000000100030600
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                               0000000077defb38 5 bytes JMP 0000000100030804
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                0000000077defc90 5 bytes JMP 0000000100030c0c
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                            0000000077df0018 5 bytes JMP 0000000100030a08
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                        0000000077e0c45a 5 bytes JMP 00000001000301f8
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                      0000000077e11217 5 bytes JMP 00000001000303fc
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                           0000000075cfa30a 1 byte [62]
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                  000000007712ee09 5 bytes JMP 00000001001d01f8
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                   0000000077133982 5 bytes JMP 00000001001d03fc
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                0000000077137603 5 bytes JMP 00000001001d0804
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                000000007713835c 5 bytes JMP 00000001001d0600
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                              000000007714f52b 5 bytes JMP 00000001001d0a08
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                        0000000076075181 5 bytes JMP 00000001001e1014
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                            0000000076075254 5 bytes JMP 00000001001e0804
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                            00000000760753d5 5 bytes JMP 00000001001e0a08
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                           00000000760754c2 5 bytes JMP 00000001001e0c0c
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                           00000000760755e2 5 bytes JMP 00000001001e0e10
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                  000000007607567c 5 bytes JMP 00000001001e01f8
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                  000000007607589f 5 bytes JMP 00000001001e03fc
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3564] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                   0000000076075a22 5 bytes JMP 00000001001e0600
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                                   0000000077defaa0 5 bytes JMP 0000000100240600
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                       0000000077defb38 5 bytes JMP 0000000100240804
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                        0000000077defc90 5 bytes JMP 0000000100240c0c
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                    0000000077df0018 5 bytes JMP 0000000100240a08
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                0000000077e0c45a 5 bytes JMP 00000001002401f8
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                              0000000077e11217 5 bytes JMP 00000001002403fc
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                                   0000000075cfa30a 1 byte [62]
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                          000000007712ee09 5 bytes JMP 00000001002501f8
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                           0000000077133982 5 bytes JMP 00000001002503fc
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                        0000000077137603 5 bytes JMP 0000000100250804
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                        000000007713835c 5 bytes JMP 0000000100250600
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                      000000007714f52b 5 bytes JMP 0000000100250a08
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                                0000000076075181 5 bytes JMP 0000000100261014
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                    0000000076075254 5 bytes JMP 0000000100260804
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                    00000000760753d5 5 bytes JMP 0000000100260a08
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                   00000000760754c2 5 bytes JMP 0000000100260c0c
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                   00000000760755e2 5 bytes JMP 0000000100260e10
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                          000000007607567c 5 bytes JMP 00000001002601f8
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                          000000007607589f 5 bytes JMP 00000001002603fc
.text   C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3592] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                           0000000076075a22 5 bytes JMP 0000000100260600
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                                  0000000077defaa0 5 bytes JMP 0000000100030600
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                      0000000077defb38 5 bytes JMP 0000000100030804
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                       0000000077defc90 5 bytes JMP 0000000100030c0c
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                   0000000077df0018 5 bytes JMP 0000000100030a08
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                               0000000077e0c45a 5 bytes JMP 00000001000301f8
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                             0000000077e11217 5 bytes JMP 00000001000303fc
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                                  0000000075cfa30a 1 byte [62]
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                         000000007712ee09 5 bytes JMP 00000001002401f8
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                          0000000077133982 5 bytes JMP 00000001002403fc
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                       0000000077137603 5 bytes JMP 0000000100240804
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                       000000007713835c 5 bytes JMP 0000000100240600
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                     000000007714f52b 5 bytes JMP 0000000100240a08
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                               0000000076075181 5 bytes JMP 0000000100251014
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                   0000000076075254 5 bytes JMP 0000000100250804
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                   00000000760753d5 5 bytes JMP 0000000100250a08
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                  00000000760754c2 5 bytes JMP 0000000100250c0c
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                  00000000760755e2 5 bytes JMP 0000000100250e10
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                         000000007607567c 5 bytes JMP 00000001002501f8
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                         000000007607589f 5 bytes JMP 00000001002503fc
.text   C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3612] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                          0000000076075a22 5 bytes JMP 0000000100250600
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                             0000000077defaa0 5 bytes JMP 0000000100030600
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                 0000000077defb38 5 bytes JMP 0000000100030804
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                  0000000077defc90 5 bytes JMP 0000000100030c0c
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                              0000000077df0018 5 bytes JMP 0000000100030a08
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                          0000000077e0c45a 5 bytes JMP 00000001000301f8
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                        0000000077e11217 5 bytes JMP 00000001000303fc
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                             0000000075cfa30a 1 byte [62]
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                    000000007712ee09 5 bytes JMP 00000001002501f8
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                     0000000077133982 5 bytes JMP 00000001002503fc
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                  0000000077137603 5 bytes JMP 0000000100250804
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                  000000007713835c 5 bytes JMP 0000000100250600
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                000000007714f52b 5 bytes JMP 0000000100250a08
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                          0000000076075181 5 bytes JMP 00000001002e1014
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                              0000000076075254 5 bytes JMP 00000001002e0804
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                              00000000760753d5 5 bytes JMP 00000001002e0a08
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                             00000000760754c2 5 bytes JMP 00000001002e0c0c
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                             00000000760755e2 5 bytes JMP 00000001002e0e10
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                    000000007607567c 5 bytes JMP 00000001002e01f8
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                    000000007607589f 5 bytes JMP 00000001002e03fc
.text   C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe[3652] C:\Windows\SysWOW64\sechost.dll!DeleteService                                     0000000076075a22 5 bytes JMP 00000001002e0600
.text   C:\Program Files\AVAST Software\Avast\AvastUI.exe[3660] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                 0000000075cfa30a 1 byte [62]
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                 0000000077defaa0 5 bytes JMP 0000000100030600
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                     0000000077defb38 5 bytes JMP 0000000100030804
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                      0000000077defc90 5 bytes JMP 0000000100030c0c
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                  0000000077df0018 5 bytes JMP 0000000100030a08
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                              0000000077e0c45a 5 bytes JMP 00000001000301f8
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                            0000000077e11217 5 bytes JMP 00000001000303fc
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                 0000000075cfa30a 1 byte [62]
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity              0000000076075181 5 bytes JMP 0000000100101014
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                  0000000076075254 5 bytes JMP 0000000100100804
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                  00000000760753d5 5 bytes JMP 0000000100100a08
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                 00000000760754c2 5 bytes JMP 0000000100100c0c
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                 00000000760755e2 5 bytes JMP 0000000100100e10
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                        000000007607567c 5 bytes JMP 00000001001001f8
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                        000000007607589f 5 bytes JMP 00000001001003fc
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\SysWOW64\sechost.dll!DeleteService                         0000000076075a22 5 bytes JMP 0000000100100600
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\syswow64\USER32.dll!SetWinEventHook                        000000007712ee09 5 bytes JMP 00000001001101f8
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                         0000000077133982 5 bytes JMP 00000001001103fc
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                      0000000077137603 5 bytes JMP 0000000100110804
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                      000000007713835c 5 bytes JMP 0000000100110600
.text   C:\Program Files (x86)\Nokia\Nokia Internet Modem\NokiaInternetModem_AppStart.exe[3672] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                    000000007714f52b 5 bytes JMP 0000000100110a08
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                        0000000077c13ae0 5 bytes JMP 000000010042075c
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                          0000000077c17a90 5 bytes JMP 00000001004203a4
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                              0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                       0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                             0000000077c41490 5 bytes JMP 0000000100420b14
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                 0000000077c414f0 5 bytes JMP 0000000100420ecc
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                            0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                                        0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                  0000000077c415d0 5 bytes JMP 000000010042163c
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                       0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                         0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                    0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                       0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                     0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                      0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                              0000000077c41810 5 bytes JMP 0000000100421284
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                   0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                      0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                                                  0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                           0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                          0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                   0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                      0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                   0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                    0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                       0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                                                   0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                   0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                        0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                   0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                                               0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                   0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                          0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                     0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                  0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                        0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                     0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                         0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                  0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                 0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                    0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                  0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                                              0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                              0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                               0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                    0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                    0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                     0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                        0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                             0000000077b2eecd 1 byte [62]
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                          000007feffee6e00 5 bytes JMP 000007ff7ff01dac
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                              000007feffee6f2c 5 bytes JMP 000007ff7ff00ecc
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                              000007feffee7220 5 bytes JMP 000007ff7ff01284
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                             000007feffee739c 5 bytes JMP 000007ff7ff0163c
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                             000007feffee7538 5 bytes JMP 000007ff7ff019f4
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                    000007feffee75e8 5 bytes JMP 000007ff7ff003a4
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                    000007feffee790c 5 bytes JMP 000007ff7ff0075c
.text   C:\Windows\system32\SearchIndexer.exe[4092] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                     000007feffee7ab4 5 bytes JMP 000007ff7ff00b14
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                0000000077c13ae0 5 bytes JMP 00000001003c075c
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                  0000000077c17a90 5 bytes JMP 00000001003c03a4
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                      0000000077c413c0 5 bytes JMP 0000000077da0440
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                               0000000077c41410 5 bytes JMP 0000000077da0430
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                     0000000077c41490 5 bytes JMP 00000001003c0b14
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                         0000000077c414f0 5 bytes JMP 00000001003c0ecc
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                    0000000077c415c0 1 byte JMP 0000000077da0450
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2                                0000000077c415c2 3 bytes {JMP 0x15ee90}
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                          0000000077c415d0 5 bytes JMP 00000001003c163c
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                               0000000077c41680 5 bytes JMP 0000000077da0320
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                        0000000077c416b0 5 bytes JMP 0000000077da0380
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                 0000000077c41710 5 bytes JMP 0000000077da02e0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                            0000000077c41760 5 bytes JMP 0000000077da0410
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                               0000000077c41790 5 bytes JMP 0000000077da02d0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                             0000000077c417b0 5 bytes JMP 0000000077da0310
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                              0000000077c417f0 5 bytes JMP 0000000077da0390
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                      0000000077c41810 5 bytes JMP 00000001003c1284
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                           0000000077c41840 5 bytes JMP 0000000077da03c0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                              0000000077c419a0 1 byte JMP 0000000077da0230
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2                                          0000000077c419a2 3 bytes {JMP 0x15e890}
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                   0000000077c41b60 5 bytes JMP 0000000077da0460
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                  0000000077c41b90 5 bytes JMP 0000000077da0370
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                           0000000077c41c70 5 bytes JMP 0000000077da02f0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                        0000000077c41c80 5 bytes JMP 0000000077da0350
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                              0000000077c41ce0 5 bytes JMP 0000000077da0290
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                           0000000077c41d70 5 bytes JMP 0000000077da02b0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                            0000000077c41d90 5 bytes JMP 0000000077da03a0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                               0000000077c41da0 1 byte JMP 0000000077da0330
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2                                           0000000077c41da2 3 bytes {JMP 0x15e590}
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                        0000000077c41e10 5 bytes JMP 0000000077da03e0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                           0000000077c41e40 5 bytes JMP 0000000077da0240
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                0000000077c42100 5 bytes JMP 0000000077da01e0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                           0000000077c421c0 1 byte JMP 0000000077da0250
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2                                       0000000077c421c2 3 bytes {JMP 0x15e090}
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                           0000000077c421f0 5 bytes JMP 0000000077da0470
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                  0000000077c42200 5 bytes JMP 0000000077da0480
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                             0000000077c42230 5 bytes JMP 0000000077da0300
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                          0000000077c42240 5 bytes JMP 0000000077da0360
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                0000000077c422a0 5 bytes JMP 0000000077da02a0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                             0000000077c422f0 5 bytes JMP 0000000077da02c0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                 0000000077c42330 5 bytes JMP 0000000077da0340
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                          0000000077c42620 5 bytes JMP 0000000077da0420
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                         0000000077c42820 5 bytes JMP 0000000077da0260
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                            0000000077c42830 5 bytes JMP 0000000077da0270
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                          0000000077c42840 1 byte JMP 0000000077da03d0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2                                      0000000077c42842 3 bytes {JMP 0x15db90}
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                      0000000077c42a00 5 bytes JMP 0000000077da01f0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                       0000000077c42a10 5 bytes JMP 0000000077da0210
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                            0000000077c42a80 5 bytes JMP 0000000077da0200
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                            0000000077c42ae0 5 bytes JMP 0000000077da03f0
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                             0000000077c42af0 5 bytes JMP 0000000077da0400
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                        0000000077c42b00 5 bytes JMP 0000000077da0220
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                0000000077c42be0 5 bytes JMP 0000000077da0280
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                     0000000077b2eecd 1 byte [62]
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                  000007feffee6e00 5 bytes JMP 000007ff7ff01dac
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                      000007feffee6f2c 5 bytes JMP 000007ff7ff00ecc
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                      000007feffee7220 5 bytes JMP 000007ff7ff01284
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                     000007feffee739c 5 bytes JMP 000007ff7ff0163c
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                     000007feffee7538 5 bytes JMP 000007ff7ff019f4
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                            000007feffee75e8 5 bytes JMP 000007ff7ff003a4
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                            000007feffee790c 5 bytes JMP 000007ff7ff0075c
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3288] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                             000007feffee7ab4 5 bytes JMP 000007ff7ff00b14
.text   C:\Windows\system32\svchost.exe[3172] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                                   0000000077b2eecd 1 byte [62]
.text   C:\Windows\system32\svchost.exe[3172] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                                000007feffee6e00 5 bytes JMP 000007ff7ff01dac
.text   C:\Windows\system32\svchost.exe[3172] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                    000007feffee6f2c 5 bytes JMP 000007ff7ff00ecc
.text   C:\Windows\system32\svchost.exe[3172] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                    000007feffee7220 5 bytes JMP 000007ff7ff01284
.text   C:\Windows\system32\svchost.exe[3172] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                                   000007feffee739c 5 bytes JMP 000007ff7ff0163c
.text   C:\Windows\system32\svchost.exe[3172] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                                   000007feffee7538 5 bytes JMP 000007ff7ff019f4
.text   C:\Windows\system32\svchost.exe[3172] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                          000007feffee75e8 5 bytes JMP 000007ff7ff003a4
.text   C:\Windows\system32\svchost.exe[3172] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                          000007feffee790c 5 bytes JMP 000007ff7ff0075c
.text   C:\Windows\system32\svchost.exe[3172] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                           000007feffee7ab4 5 bytes JMP 000007ff7ff00b14
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                             0000000077defaa0 5 bytes JMP 0000000100030600
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                 0000000077defb38 5 bytes JMP 0000000100030804
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                  0000000077defc90 5 bytes JMP 0000000100030c0c
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                              0000000077df0018 5 bytes JMP 0000000100030a08
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                          0000000077e0c45a 5 bytes JMP 00000001000301f8
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                        0000000077e11217 5 bytes JMP 00000001000303fc
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                             0000000075cfa30a 1 byte [62]
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                    000000007712ee09 5 bytes JMP 00000001002401f8
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                     0000000077133982 5 bytes JMP 00000001002403fc
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                  0000000077137603 5 bytes JMP 0000000100240804
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                  000000007713835c 5 bytes JMP 0000000100240600
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                000000007714f52b 5 bytes JMP 0000000100240a08
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                          0000000076075181 5 bytes JMP 0000000100251014
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                              0000000076075254 5 bytes JMP 0000000100250804
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                              00000000760753d5 5 bytes JMP 0000000100250a08
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                             00000000760754c2 5 bytes JMP 0000000100250c0c
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                             00000000760755e2 5 bytes JMP 0000000100250e10
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                    000000007607567c 5 bytes JMP 00000001002501f8
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                    000000007607589f 5 bytes JMP 00000001002503fc
.text   C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[2916] C:\Windows\SysWOW64\sechost.dll!DeleteService                                     0000000076075a22 5 bytes JMP 0000000100250600
.text   C:\Windows\system32\wbem\wmiprvse.exe[4492] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                          000007feffee6e00 5 bytes JMP 000007ff7ff01dac
.text   C:\Windows\system32\wbem\wmiprvse.exe[4492] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                              000007feffee6f2c 5 bytes JMP 000007ff7ff00ecc
.text   C:\Windows\system32\wbem\wmiprvse.exe[4492] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                              000007feffee7220 5 bytes JMP 000007ff7ff01284
.text   C:\Windows\system32\wbem\wmiprvse.exe[4492] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                             000007feffee739c 5 bytes JMP 000007ff7ff0163c
.text   C:\Windows\system32\wbem\wmiprvse.exe[4492] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                             000007feffee7538 5 bytes JMP 000007ff7ff019f4
.text   C:\Windows\system32\wbem\wmiprvse.exe[4492] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                    000007feffee75e8 5 bytes JMP 000007ff7ff003a4
.text   C:\Windows\system32\wbem\wmiprvse.exe[4492] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                    000007feffee790c 5 bytes JMP 000007ff7ff0075c
.text   C:\Windows\system32\wbem\wmiprvse.exe[4492] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                     000007feffee7ab4 5 bytes JMP 000007ff7ff00b14
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                                 0000000077defaa0 5 bytes JMP 0000000100030600
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                     0000000077defb38 5 bytes JMP 0000000100030804
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                      0000000077defc90 5 bytes JMP 0000000100030c0c
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                  0000000077df0018 5 bytes JMP 0000000100030a08
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                              0000000077e0c45a 5 bytes JMP 00000001000301f8
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                            0000000077e11217 5 bytes JMP 00000001000303fc
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                                 0000000075cfa30a 1 byte [62]
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                        000000007712ee09 5 bytes JMP 00000001002401f8
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                         0000000077133982 5 bytes JMP 00000001002403fc
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                      0000000077137603 5 bytes JMP 0000000100240804
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                      000000007713835c 5 bytes JMP 0000000100240600
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                    000000007714f52b 5 bytes JMP 0000000100240a08
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                              0000000076075181 5 bytes JMP 0000000100251014
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                  0000000076075254 5 bytes JMP 0000000100250804
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                  00000000760753d5 5 bytes JMP 0000000100250a08
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                 00000000760754c2 5 bytes JMP 0000000100250c0c
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                 00000000760755e2 5 bytes JMP 0000000100250e10
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                        000000007607567c 5 bytes JMP 00000001002501f8
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                        000000007607589f 5 bytes JMP 00000001002503fc
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4736] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                         0000000076075a22 5 bytes JMP 0000000100250600
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                                0000000077defaa0 5 bytes JMP 0000000100030600
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                    0000000077defb38 5 bytes JMP 0000000100030804
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                     0000000077defc90 5 bytes JMP 0000000100030c0c
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                 0000000077df0018 5 bytes JMP 0000000100030a08
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                             0000000077e0c45a 5 bytes JMP 00000001000301f8
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                           0000000077e11217 5 bytes JMP 00000001000303fc
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                                0000000075cfa30a 1 byte [62]
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                       000000007712ee09 5 bytes JMP 00000001001d01f8
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                        0000000077133982 5 bytes JMP 00000001001d03fc
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                     0000000077137603 5 bytes JMP 00000001001d0804
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                     000000007713835c 5 bytes JMP 00000001001d0600
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                   000000007714f52b 5 bytes JMP 00000001001d0a08
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                             0000000076075181 5 bytes JMP 00000001001e1014
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                 0000000076075254 5 bytes JMP 00000001001e0804
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                 00000000760753d5 5 bytes JMP 00000001001e0a08
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                00000000760754c2 5 bytes JMP 00000001001e0c0c
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                00000000760755e2 5 bytes JMP 00000001001e0e10
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                       000000007607567c 5 bytes JMP 00000001001e01f8
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                       000000007607589f 5 bytes JMP 00000001001e03fc
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4776] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                        0000000076075a22 5 bytes JMP 00000001001e0600
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                                    0000000077defaa0 5 bytes JMP 0000000100030600
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                        0000000077defb38 5 bytes JMP 0000000100030804
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                         0000000077defc90 5 bytes JMP 0000000100030c0c
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                     0000000077df0018 5 bytes JMP 0000000100030a08
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                 0000000077e0c45a 5 bytes JMP 00000001000301f8
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                               0000000077e11217 5 bytes JMP 00000001000303fc
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                                    0000000075cfa30a 1 byte [62]
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                           000000007712ee09 5 bytes JMP 00000001002401f8
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                            0000000077133982 5 bytes JMP 00000001002403fc
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                         0000000077137603 5 bytes JMP 0000000100240804
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                         000000007713835c 5 bytes JMP 0000000100240600
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                       000000007714f52b 5 bytes JMP 0000000100240a08
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                                 0000000076075181 5 bytes JMP 0000000100251014
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                     0000000076075254 5 bytes JMP 0000000100250804
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                     00000000760753d5 5 bytes JMP 0000000100250a08
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                    00000000760754c2 5 bytes JMP 0000000100250c0c
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                    00000000760755e2 5 bytes JMP 0000000100250e10
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                           000000007607567c 5 bytes JMP 00000001002501f8
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                           000000007607589f 5 bytes JMP 00000001002503fc
.text   C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4788] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                            0000000076075a22 5 bytes JMP 0000000100250600
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                                                   0000000077defaa0 5 bytes JMP 0000000100030600
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                                       0000000077defb38 5 bytes JMP 0000000100030804
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                        0000000077defc90 5 bytes JMP 0000000100030c0c
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                    0000000077df0018 5 bytes JMP 0000000100030a08
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                                0000000077e0c45a 5 bytes JMP 00000001000301f8
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                              0000000077e11217 5 bytes JMP 00000001000303fc
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                                                   0000000075cfa30a 1 byte [62]
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                                                0000000076075181 5 bytes JMP 0000000100241014
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                                    0000000076075254 5 bytes JMP 0000000100240804
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                                    00000000760753d5 5 bytes JMP 0000000100240a08
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                                   00000000760754c2 5 bytes JMP 0000000100240c0c
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                                   00000000760755e2 5 bytes JMP 0000000100240e10
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                                          000000007607567c 5 bytes JMP 00000001002401f8
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                                          000000007607589f 5 bytes JMP 00000001002403fc
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                                           0000000076075a22 5 bytes JMP 0000000100240600
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                          000000007712ee09 5 bytes JMP 00000001002501f8
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                                           0000000077133982 5 bytes JMP 00000001002503fc
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                        0000000077137603 5 bytes JMP 0000000100250804
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                        000000007713835c 5 bytes JMP 0000000100250600
.text   C:\Users\Sonka\Desktop\gmer.exe[3780] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                                      000000007714f52b 5 bytes JMP 0000000100250a08

---- Devices - GMER 2.1 ----

Device  \Driver\a3nckwbp \Device\Scsi\a3nckwbp1                                                                                                                       fffffa80050212c0
Device  \Driver\a6b3rkx9 \Device\Scsi\a6b3rkx91                                                                                                                       fffffa80050232c0
Device  \Driver\a3nckwbp \Device\Scsi\a3nckwbp1Port1Path0Target0Lun0                                                                                                  fffffa80050212c0
Device  \FileSystem\Ntfs \Ntfs                                                                                                                                        fffffa8003cbf2c0
Device  \FileSystem\fastfat \Fat                                                                                                                                      fffffa800a7e22c0
Device  \Driver\usbehci \Device\USBFDO-7                                                                                                                              fffffa8004fe02c0
Device  \Driver\usbuhci \Device\USBPDO-5                                                                                                                              fffffa8004e1c2c0
Device  \Driver\usbehci \Device\USBFDO-3                                                                                                                              fffffa8004fe02c0
Device  \Driver\usbuhci \Device\USBPDO-1                                                                                                                              fffffa8004e1c2c0
Device  \Driver\cdrom \Device\CdRom0                                                                                                                                  fffffa80061882c0
Device  \Driver\usbuhci \Device\USBPDO-6                                                                                                                              fffffa8004e1c2c0
Device  \Driver\usbuhci \Device\USBFDO-4                                                                                                                              fffffa8004e1c2c0
Device  \Driver\usbuhci \Device\USBFDO-0                                                                                                                              fffffa8004e1c2c0
Device  \Driver\usbuhci \Device\USBPDO-2                                                                                                                              fffffa8004e1c2c0
Device  \Driver\NetBT \Device\NetBT_Tcpip_{BABE4AB9-7999-4127-9BD0-8ABDBE1F5EB8}                                                                                      fffffa8004de12c0
Device  \Driver\usbehci \Device\USBPDO-7                                                                                                                              fffffa8004fe02c0
Device  \Driver\usbuhci \Device\USBFDO-5                                                                                                                              fffffa8004e1c2c0
Device  \Driver\usbehci \Device\USBPDO-3                                                                                                                              fffffa8004fe02c0
Device  \Driver\usbuhci \Device\USBFDO-1                                                                                                                              fffffa8004e1c2c0
Device  \Driver\volmgr \Device\HarddiskVolume1                                                                                                                        fffffa8003cb32c0
Device  \Driver\volmgr \Device\FtControl                                                                                                                              fffffa8003cb32c0
Device  \Driver\volmgr \Device\VolMgrControl                                                                                                                          fffffa8003cb32c0
Device  \Driver\volmgr \Device\HarddiskVolume2                                                                                                                        fffffa8003cb32c0
Device  \Driver\volmgr \Device\HarddiskVolume3                                                                                                                        fffffa8003cb32c0
Device  \Driver\NetBT \Device\NetBt_Wins_Export                                                                                                                       fffffa8004de12c0
Device  \Driver\usbuhci \Device\USBFDO-6                                                                                                                              fffffa8004e1c2c0
Device  \Driver\usbuhci \Device\USBPDO-4                                                                                                                              fffffa8004e1c2c0
Device  \Driver\usbuhci \Device\USBFDO-2                                                                                                                              fffffa8004e1c2c0
Device  \Driver\NetBT \Device\NetBT_Tcpip_{4937335D-F8E4-4DC2-826C-2C0BC82268BF}                                                                                      fffffa8004de12c0
Device  \Driver\usbuhci \Device\USBPDO-0                                                                                                                              fffffa8004e1c2c0
Device  \Driver\a3nckwbp \Device\ScsiPort1                                                                                                                            fffffa80050212c0
Device  \Driver\a6b3rkx9 \Device\ScsiPort2                                                                                                                            fffffa80050232c0
Device  \Driver\NetBT \Device\NetBT_Tcpip_{5958B0C1-320D-452E-86D8-B1860B06E69A}                                                                                      fffffa8004de12c0

---- Modules - GMER 2.1 ----

Module  \SystemRoot\System32\Drivers\a3nckwbp.SYS                                                                                                                     fffff88003e00000-fffff88003e43000 (274432 bytes)
Module  \SystemRoot\System32\Drivers\a6b3rkx9.SYS                                                                                                                     fffff880011b5000-fffff880011fa000 (282624 bytes)

---- Registry - GMER 2.1 ----

Reg     HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3ae37a9                                                                                   
Reg     HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3ae37a9@60a10a5cbdd2                                                                      0x1D 0x7A 0x00 0x72 ...
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1                                                                                                            771343423
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2                                                                                                            285507792
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0                                                                                                            2
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04                                                                              
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0                                                                           C:\Program Files (x86)\Alcohol Soft\Alcohol 120\
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                                                                           1
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                                                                        0x18 0x22 0x26 0xE8 ...
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001                                                                     
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0                                                                  0x20 0x01 0x00 0x00 ...
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew                                                               0xEF 0x23 0x94 0x03 ...
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40                                                              
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew                                                        0x56 0xF3 0xF9 0x6E ...
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                                                              
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                                                           C:\Program Files (x86)\DAEMON Tools Lite\
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                                           0x00 0x00 0x00 0x00 ...
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                                           0
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                                                        0xE6 0x8B 0x85 0x29 ...
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                                                                     
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                                                                  0x20 0x01 0x00 0x00 ...
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                                                               0xE4 0x22 0xF2 0xF4 ...
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                                                                
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                                                          0x9A 0xFB 0xEB 0x61 ...
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1                                                                
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12                                                          0x4D 0x38 0x03 0xB4 ...
Reg     HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3ae37a9 (not active ControlSet)                                                               
Reg     HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3ae37a9@60a10a5cbdd2                                                                          0x1D 0x7A 0x00 0x72 ...
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)                                                          
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0                                                                               C:\Program Files (x86)\Alcohol Soft\Alcohol 120\
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                                                                               1
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                                                                            0x18 0x22 0x26 0xE8 ...
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)                                                 
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0                                                                      0x20 0x01 0x00 0x00 ...
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew                                                                   0xEF 0x23 0x94 0x03 ...
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)                                          
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew                                                            0x56 0xF3 0xF9 0x6E ...
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                                                          
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                                                               C:\Program Files (x86)\DAEMON Tools Lite\
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                                               0x00 0x00 0x00 0x00 ...
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                                               0
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                                                            0xE6 0x8B 0x85 0x29 ...
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)                                                 
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                                                                      0x20 0x01 0x00 0x00 ...
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                                                                   0xE4 0x22 0xF2 0xF4 ...
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)                                            
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                                                              0x9A 0xFB 0xEB 0x61 ...
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)                                            
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12                                                              0x4D 0x38 0x03 0xB4 ...

---- EOF - GMER 2.1 ----
