GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-04 20:36:46 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-4 ST1000DM003-1CH162 rev.CC44 931,51GB Running: l061jixm.exe; Driver: C:\Users\a\AppData\Local\Temp\kxlcapow.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!EngSetLastError + 608 fffff96000175d40 8 bytes [10, 3F, C9, 06, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960001a5b00 7 bytes [40, 48, F3, FF, 01, 56, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960001a5b08 3 bytes [C0, 06, 02] .text ... * 106 .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 484 fffff9600026e1cc 6 bytes {JMP QWORD [RIP-0xbf312]} ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000077620480 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000077620470 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000077620360 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000077620490 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000776203d0 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000077620310 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000776203a0 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000077620380 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000776202d0 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000776202c0 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000077620300 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000776203b0 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000077620440 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000776203e0 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000077620220 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000776204a0 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000077620390 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000776202e0 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000077620340 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000077620280 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000776202a0 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000776203c0 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000077620320 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000077620410 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000077620230 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000776203f0 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000776201d0 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000077620240 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000776204b0 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000776204c0 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000776202f0 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000077620350 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000077620290 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000776202b0 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000077620370 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000077620330 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000077620460 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000077620420 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000077620250 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000077620260 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000077620400 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000776201e0 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000077620200 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000776201f0 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000077620430 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000077620450 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000077620210 .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000077620270 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0xffffffff88bb4490} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0xffffffff88bb4490} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000000070270 .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe[964] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000761a1401 2 bytes JMP 7591b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe[964] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000761a1419 2 bytes JMP 7591b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe[964] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000761a1431 2 bytes JMP 75999149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe[964] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000761a144a 2 bytes CALL 758f4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe[964] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000761a14dd 2 bytes JMP 75998a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe[964] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000761a14f5 2 bytes JMP 75998c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe[964] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000761a150d 2 bytes JMP 75998938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe[964] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000761a1525 2 bytes JMP 75998d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe[964] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000761a153d 2 bytes JMP 7590fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe[964] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000761a1555 2 bytes JMP 75916907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe[964] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000761a156d 2 bytes JMP 75999201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe[964] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000761a1585 2 bytes JMP 75998d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe[964] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000761a159d 2 bytes JMP 759988fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe[964] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000761a15b5 2 bytes JMP 7590fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe[964] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000761a15cd 2 bytes JMP 7591b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe[964] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000761a16b2 2 bytes JMP 759990c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe[964] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000761a16bd 2 bytes JMP 75998891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000077620480 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000077620470 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000077620360 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000077620490 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000776203d0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000077620310 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000776203a0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000077620380 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000776202d0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000776202c0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000077620300 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000776203b0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000077620440 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000776203e0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000077620220 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000776204a0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000077620390 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000776202e0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000077620340 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000077620280 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000776202a0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000776203c0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000077620320 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000077620410 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000077620230 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000776203f0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000776201d0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000077620240 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000776204b0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000776204c0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000776202f0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000077620350 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000077620290 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000776202b0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000077620370 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000077620330 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000077620460 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000077620420 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000077620250 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000077620260 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000077620400 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000776201e0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000077620200 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000776201f0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000077620430 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000077620450 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000077620210 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000077620270 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000000070480 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000000070470 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000000070360 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000000070490 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000000070310 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000000070380 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0xffffffff88bb4490} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000000070300 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000000070440 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000000070220 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000000070390 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000000070340 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000000070280 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000000702a0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000000070320 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000000070410 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000000070230 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000000703f0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000000701d0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000000070240 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000000704b0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000000704c0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000000070350 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000000070290 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000000070370 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000000070330 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000000070460 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000000070420 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000000070250 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000000070260 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000000070400 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000000070200 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000000070430 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000000070450 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000000070210 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000000070270 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000077620480 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000077620470 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000077620360 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000077620490 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000776203d0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000077620310 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000776203a0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000077620380 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000776202d0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000776202c0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000077620300 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000776203b0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000077620440 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000776203e0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000077620220 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000776204a0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000077620390 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000776202e0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000077620340 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000077620280 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000776202a0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000776203c0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000077620320 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000077620410 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000077620230 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000776203f0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000776201d0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000077620240 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000776204b0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000776204c0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000776202f0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000077620350 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000077620290 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000776202b0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000077620370 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000077620330 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000077620460 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000077620420 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000077620250 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000077620260 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000077620400 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000776201e0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000077620200 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000776201f0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000077620430 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000077620450 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000077620210 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000077620270 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000077620480 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000077620470 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000077620360 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000077620490 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000776203d0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000077620310 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000776203a0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000077620380 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000776202d0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000776202c0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000077620300 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000776203b0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000077620440 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000776203e0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000077620220 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000776204a0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000077620390 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000776202e0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000077620340 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000077620280 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000776202a0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000776203c0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000077620320 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000077620410 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000077620230 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000776203f0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000776201d0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000077620240 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000776204b0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000776204c0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000776202f0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000077620350 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000077620290 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000776202b0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000077620370 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000077620330 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000077620460 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000077620420 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000077620250 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000077620260 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000077620400 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000776201e0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000077620200 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000776201f0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000077620430 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000077620450 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000077620210 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000077620270 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000077620480 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000077620470 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000077620360 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000077620490 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000776203d0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000077620310 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000776203a0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000077620380 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000776202d0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000776202c0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000077620300 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000776203b0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000077620440 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000776203e0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000077620220 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000776204a0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000077620390 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000776202e0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000077620340 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000077620280 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000776202a0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000776203c0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000077620320 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000077620410 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000077620230 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000776203f0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000776201d0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000077620240 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000776204b0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000776204c0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000776202f0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000077620350 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000077620290 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000776202b0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000077620370 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000077620330 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000077620460 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000077620420 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000077620250 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000077620260 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000077620400 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000776201e0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000077620200 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000776201f0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000077620430 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000077620450 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000077620210 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000077620270 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000077620480 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000077620470 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000077620360 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000077620490 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000776203d0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000077620310 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000776203a0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000077620380 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000776202d0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000776202c0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000077620300 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000776203b0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000077620440 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000776203e0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000077620220 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000776204a0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000077620390 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000776202e0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000077620340 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000077620280 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000776202a0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000776203c0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000077620320 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000077620410 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000077620230 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000776203f0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000776201d0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000077620240 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000776204b0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000776204c0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000776202f0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000077620350 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000077620290 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000776202b0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000077620370 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000077620330 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000077620460 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000077620420 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000077620250 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000077620260 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000077620400 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000776201e0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000077620200 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000776201f0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000077620430 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000077620450 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000077620210 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000077620270 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000077620480 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000077620470 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000077620360 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000077620490 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000776203d0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000077620310 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000776203a0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000077620380 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000776202d0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000776202c0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000077620300 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000776203b0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000077620440 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000776203e0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000077620220 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000776204a0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000077620390 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000776202e0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000077620340 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000077620280 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000776202a0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000776203c0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000077620320 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000077620410 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000077620230 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000776203f0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000776201d0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000077620240 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000776204b0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000776204c0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000776202f0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000077620350 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000077620290 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000776202b0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000077620370 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000077620330 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000077620460 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000077620420 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000077620250 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000077620260 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000077620400 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000776201e0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000077620200 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000776201f0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000077620430 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000077620450 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000077620210 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000077620270 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000077620480 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000077620470 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000077620360 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000077620490 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000776203d0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000077620310 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000776203a0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000077620380 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000776202d0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000776202c0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000077620300 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000776203b0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000077620440 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000776203e0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000077620220 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000776204a0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000077620390 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000776202e0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000077620340 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000077620280 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000776202a0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000776203c0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000077620320 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000077620410 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000077620230 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000776203f0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000776201d0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000077620240 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000776204b0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000776204c0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000776202f0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000077620350 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000077620290 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000776202b0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000077620370 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000077620330 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000077620460 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000077620420 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000077620250 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000077620260 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000077620400 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000776201e0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000077620200 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000776201f0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000077620430 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000077620450 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000077620210 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000077620270 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000077620480 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000077620470 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000077620360 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000077620490 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000776203d0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000077620310 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000776203a0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000077620380 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000776202d0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000776202c0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000077620300 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000776203b0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000077620440 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000776203e0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000077620220 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000776204a0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000077620390 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000776202e0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000077620340 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000077620280 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000776202a0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000776203c0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000077620320 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000077620410 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000077620230 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000776203f0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000776201d0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000077620240 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000776204b0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000776204c0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000776202f0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000077620350 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000077620290 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000776202b0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000077620370 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000077620330 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000077620460 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000077620420 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000077620250 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000077620260 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000077620400 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000776201e0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000077620200 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000776201f0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000077620430 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000077620450 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000077620210 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000077620270 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000077620480 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000077620470 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000077620360 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000077620490 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000776203d0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000077620310 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000776203a0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000077620380 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000776202d0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000776202c0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000077620300 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000776203b0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000077620440 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000776203e0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000077620220 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000776204a0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000077620390 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000776202e0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000077620340 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000077620280 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000776202a0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000776203c0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000077620320 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000077620410 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000077620230 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000776203f0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000776201d0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000077620240 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000776204b0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000776204c0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000776202f0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000077620350 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000077620290 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000776202b0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000077620370 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000077620330 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000077620460 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000077620420 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000077620250 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000077620260 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000077620400 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000776201e0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000077620200 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000776201f0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000077620430 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000077620450 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000077620210 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000077620270 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000077620480 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000077620470 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000077620360 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000077620490 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000776203d0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000077620310 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000776203a0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000077620380 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000776202d0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000776202c0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000077620300 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000776203b0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000077620440 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000776203e0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000077620220 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000776204a0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000077620390 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000776202e0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000077620340 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000077620280 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000776202a0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000776203c0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000077620320 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000077620410 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000077620230 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000776203f0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000776201d0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000077620240 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000776204b0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000776204c0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000776202f0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000077620350 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000077620290 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000776202b0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000077620370 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000077620330 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000077620460 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000077620420 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000077620250 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000077620260 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000077620400 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000776201e0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000077620200 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000776201f0 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000077620430 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000077620450 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000077620210 .text C:\Windows\system32\svchost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000077620270 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000077620480 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000077620470 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000077620360 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000077620490 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000776203d0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000077620310 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000776203a0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000077620380 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000776202d0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000776202c0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000077620300 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000776203b0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000077620440 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000776203e0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000077620220 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000776204a0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000077620390 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000776202e0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000077620340 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000077620280 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000776202a0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000776203c0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000077620320 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000077620410 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000077620230 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000776203f0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000776201d0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000077620240 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000776204b0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000776204c0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000776202f0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000077620350 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000077620290 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000776202b0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000077620370 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000077620330 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000077620460 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000077620420 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000077620250 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000077620260 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000077620400 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000776201e0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000077620200 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000776201f0 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000077620430 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000077620450 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000077620210 .text C:\Windows\system32\taskeng.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000077620270 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000077620480 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000077620470 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000077620360 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000077620490 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000776203d0 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000077620310 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000776203a0 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000077620380 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000776202d0 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000776202c0 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000077620300 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000776203b0 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000077620440 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000776203e0 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000077620220 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000776204a0 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000077620390 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000776202e0 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000077620340 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000077620280 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000776202a0 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000776203c0 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000077620320 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000077620410 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000077620230 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000776203f0 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000776201d0 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000077620240 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000776204b0 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000776204c0 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000776202f0 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000077620350 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000077620290 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000776202b0 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000077620370 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000077620330 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000077620460 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000077620420 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000077620250 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000077620260 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000077620400 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000776201e0 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000077620200 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000776201f0 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000077620430 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000077620450 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000077620210 .text C:\Windows\system32\Dwm.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000077620270 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000077620480 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000077620470 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000077620360 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000077620490 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000776203d0 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000077620310 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000776203a0 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000077620380 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0x164490} .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000776202d0 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000776202c0 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000077620300 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000776203b0 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000077620440 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000776203e0 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000077620220 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000776204a0 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000077620390 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000776202e0 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000077620340 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000077620280 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000776202a0 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000776203c0 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000077620320 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000077620410 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000077620230 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000776203f0 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000776201d0 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000077620240 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000776204b0 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000776204c0 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000776202f0 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000077620350 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000077620290 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000776202b0 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000077620370 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000077620330 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000077620460 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000077620420 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000077620250 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000077620260 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000077620400 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000776201e0 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000077620200 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000776201f0 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000077620430 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000077620450 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000077620210 .text C:\Windows\Explorer.EXE[2944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000077620270 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000077620480 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000077620470 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000077620360 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000077620490 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000776203d0 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000077620310 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000776203a0 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000077620380 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000776202d0 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000776202c0 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000077620300 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000776203b0 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000077620440 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000776203e0 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000077620220 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000776204a0 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000077620390 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000776202e0 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000077620340 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000077620280 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000776202a0 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000776203c0 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000077620320 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000077620410 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000077620230 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000776203f0 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000776201d0 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000077620240 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000776204b0 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000776204c0 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000776202f0 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000077620350 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000077620290 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000776202b0 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000077620370 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000077620330 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000077620460 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000077620420 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000077620250 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000077620260 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000077620400 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000776201e0 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000077620200 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000776201f0 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000077620430 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000077620450 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000077620210 .text C:\Windows\system32\svchost.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000077620270 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000077620480 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000077620470 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000077620360 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000077620490 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000776203d0 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000077620310 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000776203a0 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000077620380 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000776202d0 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000776202c0 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000077620300 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000776203b0 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000077620440 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000776203e0 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000077620220 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000776204a0 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000077620390 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000776202e0 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000077620340 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000077620280 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000776202a0 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000776203c0 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000077620320 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000077620410 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000077620230 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000776203f0 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000776201d0 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000077620240 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000776204b0 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000776204c0 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000776202f0 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000077620350 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000077620290 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000776202b0 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000077620370 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000077620330 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000077620460 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000077620420 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000077620250 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000077620260 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000077620400 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000776201e0 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000077620200 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000776201f0 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000077620430 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000077620450 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000077620210 .text C:\Windows\System32\svchost.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000077620270 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000077620480 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000077620470 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000077620360 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000077620490 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000776203d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000077620310 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000776203a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000077620380 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000776202d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000776202c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000077620300 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000776203b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000077620440 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000776203e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000077620220 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000776204a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000077620390 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000776202e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000077620340 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000077620280 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000776202a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000776203c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000077620320 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000077620410 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000077620230 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000776203f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000776201d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000077620240 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000776204b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000776204c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000776202f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000077620350 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000077620290 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000776202b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000077620370 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000077620330 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000077620460 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000077620420 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000077620250 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000077620260 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000077620400 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000776201e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000077620200 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000776201f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000077620430 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000077620450 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000077620210 .text C:\Windows\system32\wbem\wmiprvse.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000077620270 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3372] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000761a1401 2 bytes JMP 7591b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3372] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000761a1419 2 bytes JMP 7591b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3372] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000761a1431 2 bytes JMP 75999149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3372] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000761a144a 2 bytes CALL 758f4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3372] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000761a14dd 2 bytes JMP 75998a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3372] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000761a14f5 2 bytes JMP 75998c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3372] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000761a150d 2 bytes JMP 75998938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3372] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000761a1525 2 bytes JMP 75998d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3372] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000761a153d 2 bytes JMP 7590fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3372] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000761a1555 2 bytes JMP 75916907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3372] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000761a156d 2 bytes JMP 75999201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3372] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000761a1585 2 bytes JMP 75998d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3372] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000761a159d 2 bytes JMP 759988fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3372] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000761a15b5 2 bytes JMP 7590fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3372] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000761a15cd 2 bytes JMP 7591b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3372] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000761a16b2 2 bytes JMP 759990c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3372] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000761a16bd 2 bytes JMP 75998891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000000070480 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000000070470 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000000070360 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000000070490 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000000070310 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000000070380 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0xffffffff88bb4490} .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000000070300 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000000070440 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000000070220 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000000070390 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000000070340 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000000070280 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000000702a0 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000000070320 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000000070410 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000000070230 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000000703f0 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000000701d0 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000000070240 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000000704b0 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000000704c0 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000000070350 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000000070290 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000000070370 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000000070330 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000000070460 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000000070420 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000000070250 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000000070260 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000000070400 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000000070200 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000000070430 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000000070450 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000000070210 .text C:\Windows\System32\rundll32.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000000070270 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[3728] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000761a1401 2 bytes JMP 7591b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[3728] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000761a1419 2 bytes JMP 7591b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[3728] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000761a1431 2 bytes JMP 75999149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[3728] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000761a144a 2 bytes CALL 758f4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[3728] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000761a14dd 2 bytes JMP 75998a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[3728] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000761a14f5 2 bytes JMP 75998c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[3728] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000761a150d 2 bytes JMP 75998938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[3728] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000761a1525 2 bytes JMP 75998d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[3728] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000761a153d 2 bytes JMP 7590fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[3728] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000761a1555 2 bytes JMP 75916907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[3728] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000761a156d 2 bytes JMP 75999201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[3728] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000761a1585 2 bytes JMP 75998d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[3728] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000761a159d 2 bytes JMP 759988fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[3728] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000761a15b5 2 bytes JMP 7590fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[3728] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000761a15cd 2 bytes JMP 7591b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[3728] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000761a16b2 2 bytes JMP 759990c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[3728] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000761a16bd 2 bytes JMP 75998891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3668] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000758f8769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774bbbe0 5 bytes JMP 0000000077620480 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774bbc30 5 bytes JMP 0000000077620470 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 5 bytes JMP 0000000077620360 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774bbde0 5 bytes JMP 0000000077620490 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774bbdf0 5 bytes JMP 00000000776203d0 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774bbea0 5 bytes JMP 0000000077620310 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774bbed0 5 bytes JMP 00000000776203a0 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774bbef0 1 byte JMP 0000000077620380 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000774bbef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774bbf30 5 bytes JMP 00000000776202d0 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774bbfb0 5 bytes JMP 00000000776202c0 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774bbfd0 5 bytes JMP 0000000077620300 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774bc010 5 bytes JMP 00000000776203b0 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774bc050 5 bytes JMP 0000000077620440 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774bc060 5 bytes JMP 00000000776203e0 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774bc1c0 5 bytes JMP 0000000077620220 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774bc380 5 bytes JMP 00000000776204a0 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774bc3b0 5 bytes JMP 0000000077620390 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774bc490 5 bytes JMP 00000000776202e0 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774bc4a0 5 bytes JMP 0000000077620340 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774bc500 5 bytes JMP 0000000077620280 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774bc590 5 bytes JMP 00000000776202a0 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774bc5b0 5 bytes JMP 00000000776203c0 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774bc5c0 5 bytes JMP 0000000077620320 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774bc630 5 bytes JMP 0000000077620410 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774bc660 5 bytes JMP 0000000077620230 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774bc800 5 bytes JMP 00000000776203f0 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774bc920 5 bytes JMP 00000000776201d0 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774bc9e0 5 bytes JMP 0000000077620240 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774bca10 5 bytes JMP 00000000776204b0 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774bca20 5 bytes JMP 00000000776204c0 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774bca50 5 bytes JMP 00000000776202f0 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774bca60 5 bytes JMP 0000000077620350 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774bcac0 5 bytes JMP 0000000077620290 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774bcb10 5 bytes JMP 00000000776202b0 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 5 bytes JMP 0000000077620370 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774bcb50 5 bytes JMP 0000000077620330 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774bce40 5 bytes JMP 0000000077620460 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774bcfa0 5 bytes JMP 0000000077620420 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774bd040 5 bytes JMP 0000000077620250 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774bd050 5 bytes JMP 0000000077620260 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774bd060 5 bytes JMP 0000000077620400 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774bd220 5 bytes JMP 00000000776201e0 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774bd230 5 bytes JMP 0000000077620200 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774bd2a0 5 bytes JMP 00000000776201f0 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774bd300 5 bytes JMP 0000000077620430 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774bd310 5 bytes JMP 0000000077620450 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774bd320 5 bytes JMP 0000000077620210 .text C:\Windows\System32\svchost.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774bd400 5 bytes JMP 0000000077620270 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077492170 5 bytes JMP 000000000044075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077495be0 5 bytes JMP 00000000004403a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000774bbcb0 6 bytes {JMP QWORD [RIP+0x8ca534a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774bbdb0 14 bytes {MOV RAX, 0x7feecdd8d50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000774bc030 6 bytes {JMP QWORD [RIP+0x8cc4fca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\KERNEL32.dll!CopyFileW 0000000077258950 6 bytes {JMP QWORD [RIP+0x8e886aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 000000007726dd20 6 bytes {JMP QWORD [RIP+0x8db32da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\KERNEL32.dll!CreateProcessW 00000000772705e0 6 bytes {JMP QWORD [RIP+0x8df0a1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\KERNEL32.dll!GetThreadSelectorEntry 00000000772a10d0 6 bytes {JMP QWORD [RIP+0x8e9ff2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\KERNEL32.dll!MoveFileW 00000000772df7e0 6 bytes {JMP QWORD [RIP+0x8dc181a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\KERNEL32.dll!MoveFileA 00000000772df940 6 bytes {JMP QWORD [RIP+0x8de16ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\KERNEL32.dll!CopyFileA 00000000772e5690 6 bytes {JMP QWORD [RIP+0x8e1b96a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalA 00000000772ea2f0 6 bytes {JMP QWORD [RIP+0x8d56d0a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000772eafc0 6 bytes {JMP QWORD [RIP+0x8d9603a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\KERNEL32.dll!WinExec 00000000772eb500 6 bytes {JMP QWORD [RIP+0x8e35afa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd491900 6 bytes {JMP QWORD [RIP+0xcf6fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd49b2d1 5 bytes JMP 7feec95 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd4a13b0 6 bytes {JMP QWORD [RIP+0xdfc4a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd4a13e0 6 bytes {JMP QWORD [RIP+0x11fc1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd4c3870 6 bytes {JMP QWORD [RIP+0xdd78a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd4c38a0 6 bytes {JMP QWORD [RIP+0x11d75a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\SHELL32.dll!ShellExecuteW 000007fefe6597b4 6 bytes {JMP QWORD [RIP+0xe07846]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\SHELL32.dll!ShellExecuteExW 000007fefe664f0c 6 bytes {JMP QWORD [RIP+0xe1c0ee]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefd884ae0 6 bytes {JMP QWORD [RIP+0x4ec51a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefd8e5f80 6 bytes {JMP QWORD [RIP+0x4ab07a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefd8ed120 6 bytes {JMP QWORD [RIP+0x583eda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefd8ee470 6 bytes {JMP QWORD [RIP+0x542b8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\WININET.dll!InternetReadFileExW 000007fefd9281a0 6 bytes {JMP QWORD [RIP+0x528e5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefd936c80 6 bytes {JMP QWORD [RIP+0x57a37a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefd98ec50 6 bytes {JMP QWORD [RIP+0x5023aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefd9ef170 6 bytes JMP 34382e32 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefd9efe20 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefda18900 6 bytes JMP d1a027d .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefda1b3d0 6 bytes JMP 135ef2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1 0000000011c063a1 5 bytes {JMP QWORD [RIP+0x1bac5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\urlmon.dll!URLDownloadToFileW 0000000011c06f60 6 bytes JMP 6a110000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1 0000000011c9e281 5 bytes {JMP QWORD [RIP+0x142d7a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\urlmon.dll!URLDownloadToFileA + 1 0000000011c9e401 5 bytes {JMP QWORD [RIP+0x102bfa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA 0000000011c9e550 6 bytes JMP 640065 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW 0000000011c9e630 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1 0000000011c9e951 5 bytes JMP 3d270000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3664] C:\Windows\system32\urlmon.dll!URLOpenStreamW 0000000011c9ea20 6 bytes {JMP QWORD [RIP+0x1625da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077492170 5 bytes JMP 000000000027075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077495be0 5 bytes JMP 00000000002703a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000774bbcb0 6 bytes {JMP QWORD [RIP+0x8ca534a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000774bc030 6 bytes {JMP QWORD [RIP+0x8cc4fca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\KERNEL32.dll!CopyFileW 0000000077258950 6 bytes {JMP QWORD [RIP+0x8e886aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 000000007726dd20 6 bytes {JMP QWORD [RIP+0x8db32da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\KERNEL32.dll!CreateProcessW 00000000772705e0 6 bytes {JMP QWORD [RIP+0x8df0a1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\KERNEL32.dll!GetThreadSelectorEntry 00000000772a10d0 6 bytes {JMP QWORD [RIP+0x8e9ff2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\KERNEL32.dll!MoveFileW 00000000772df7e0 6 bytes {JMP QWORD [RIP+0x8dc181a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\KERNEL32.dll!MoveFileA 00000000772df940 6 bytes {JMP QWORD [RIP+0x8de16ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\KERNEL32.dll!CopyFileA 00000000772e5690 6 bytes {JMP QWORD [RIP+0x8e1b96a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalA 00000000772ea2f0 6 bytes {JMP QWORD [RIP+0x8d56d0a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000772eafc0 6 bytes {JMP QWORD [RIP+0x8d9603a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\KERNEL32.dll!WinExec 00000000772eb500 6 bytes {JMP QWORD [RIP+0x8e35afa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd491900 6 bytes JMP 7aa40000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd49b2d1 5 bytes {JMP QWORD [RIP+0x165d2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd4a13b0 6 bytes {JMP QWORD [RIP+0xdfc4a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd4a13e0 6 bytes {JMP QWORD [RIP+0x11fc1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd4c3870 6 bytes {JMP QWORD [RIP+0xdd78a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd4c38a0 6 bytes {JMP QWORD [RIP+0x11d75a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefd884ae0 6 bytes {JMP QWORD [RIP+0x4ec51a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefd8e5f80 6 bytes {JMP QWORD [RIP+0x4ab07a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefd8ed120 6 bytes {JMP QWORD [RIP+0x583eda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefd8ee470 6 bytes {JMP QWORD [RIP+0x542b8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\WININET.dll!InternetReadFileExW 000007fefd9281a0 6 bytes {JMP QWORD [RIP+0x528e5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefd936c80 6 bytes {JMP QWORD [RIP+0x57a37a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefd98ec50 6 bytes {JMP QWORD [RIP+0x5023aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefd9ef170 6 bytes {JMP QWORD [RIP+0x411e8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefd9efe20 6 bytes JMP 7fe0000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefda18900 6 bytes {JMP QWORD [RIP+0x4b86fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3368] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefda1b3d0 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077492170 5 bytes JMP 000000000023075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077495be0 5 bytes JMP 00000000002303a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000774bbc00 7 bytes [48, B8, 74, 0B, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000774bbc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000774bbcb0 6 bytes JMP c3e6ff9e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000774bbd70 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f6713} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000774bbd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 7 bytes [48, B8, 94, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000774bbd98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000774bbda0 7 bytes [48, B8, 98, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000774bbda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774bbdb0 7 bytes [48, B8, 58, 0A, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000774bbdb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000774bbdd0 7 bytes [48, B8, C4, 0A, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000774bbdd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000774bbe20 7 bytes [48, B8, 58, 0C, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000774bbe28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000774bbe30 7 bytes [48, B8, D0, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000774bbe38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774bbe60 7 bytes [48, B8, 3C, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774bbe68 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000774bbf00 7 bytes [48, B8, 70, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000774bbf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000774bc030 6 bytes JMP f4f7ffef .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774bc080 7 bytes [48, B8, C8, 0C, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000774bc088 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000774bcaf0 7 bytes [48, B8, B8, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000774bcaf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 7 bytes [48, B8, 70, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000774bcb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000774bcc90 7 bytes [48, B8, 84, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000774bcc98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\KERNEL32.dll!CopyFileW 0000000077258950 6 bytes JMP 3333ff33 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 000000007726dd20 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\KERNEL32.dll!CreateProcessW 00000000772705e0 6 bytes JMP f4f7ffef .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\KERNEL32.dll!GetThreadSelectorEntry 00000000772a10d0 6 bytes JMP f2f2fff2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\KERNEL32.dll!MoveFileW 00000000772df7e0 6 bytes JMP ffffffff .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\KERNEL32.dll!MoveFileA 00000000772df940 6 bytes JMP f2f5feee .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\KERNEL32.dll!CopyFileA 00000000772e5690 6 bytes JMP f4f7ffef .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalA 00000000772ea2f0 6 bytes JMP fbf8fffd .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000772eafc0 6 bytes JMP fcfafffe .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\KERNEL32.dll!WinExec 00000000772eb500 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd491900 6 bytes {JMP QWORD [RIP+0xcf6fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd49b2d1 5 bytes {JMP QWORD [RIP+0x165d2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd4a13b0 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd4a13e0 6 bytes {JMP QWORD [RIP+0x11fc1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd4c3870 6 bytes JMP d730d730 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd4c38a0 6 bytes {JMP QWORD [RIP+0x11d75a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefd884ae0 6 bytes {JMP QWORD [RIP+0x4ec51a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefd8e5f80 6 bytes {JMP QWORD [RIP+0x4ab07a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefd8ed120 6 bytes {JMP QWORD [RIP+0x583eda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefd8ee470 6 bytes {JMP QWORD [RIP+0x542b8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\WININET.dll!InternetReadFileExW 000007fefd9281a0 6 bytes {JMP QWORD [RIP+0x528e5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefd936c80 6 bytes {JMP QWORD [RIP+0x57a37a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefd98ec50 6 bytes {JMP QWORD [RIP+0x5023aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefd9ef170 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefd9efe20 6 bytes JMP 3e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefda18900 6 bytes {JMP QWORD [RIP+0x4b86fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefda1b3d0 6 bytes JMP 315f6563 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077492170 5 bytes JMP 000000000021075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077495be0 5 bytes JMP 00000000002103a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000774bbc00 7 bytes [48, B8, 74, 0B, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000774bbc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000774bbcb0 6 bytes {JMP QWORD [RIP+0x8ca534a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000774bbd70 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f6713} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000774bbd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 7 bytes [48, B8, 94, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000774bbd98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000774bbda0 7 bytes [48, B8, 98, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000774bbda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774bbdb0 7 bytes [48, B8, 58, 0A, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000774bbdb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000774bbdd0 7 bytes [48, B8, C4, 0A, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000774bbdd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000774bbe20 7 bytes [48, B8, 58, 0C, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000774bbe28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000774bbe30 7 bytes [48, B8, D0, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000774bbe38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774bbe60 7 bytes [48, B8, 3C, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774bbe68 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000774bbf00 7 bytes [48, B8, 70, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000774bbf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000774bc030 6 bytes {JMP QWORD [RIP+0x8cc4fca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774bc080 7 bytes [48, B8, C8, 0C, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000774bc088 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000774bcaf0 7 bytes [48, B8, B8, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000774bcaf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 7 bytes [48, B8, 70, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000774bcb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000774bcc90 7 bytes [48, B8, 84, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000774bcc98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\KERNEL32.dll!CopyFileW 0000000077258950 6 bytes {JMP QWORD [RIP+0x8e886aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 000000007726dd20 6 bytes {JMP QWORD [RIP+0x8db32da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\KERNEL32.dll!CreateProcessW 00000000772705e0 6 bytes {JMP QWORD [RIP+0x8df0a1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\KERNEL32.dll!GetThreadSelectorEntry 00000000772a10d0 6 bytes {JMP QWORD [RIP+0x8e9ff2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\KERNEL32.dll!MoveFileW 00000000772df7e0 6 bytes {JMP QWORD [RIP+0x8dc181a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\KERNEL32.dll!MoveFileA 00000000772df940 6 bytes {JMP QWORD [RIP+0x8de16ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\KERNEL32.dll!CopyFileA 00000000772e5690 6 bytes {JMP QWORD [RIP+0x8e1b96a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalA 00000000772ea2f0 6 bytes {JMP QWORD [RIP+0x8d56d0a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000772eafc0 6 bytes {JMP QWORD [RIP+0x8d9603a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\KERNEL32.dll!WinExec 00000000772eb500 6 bytes {JMP QWORD [RIP+0x8e35afa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd491900 6 bytes {JMP QWORD [RIP+0xcf6fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd49b2d1 5 bytes {JMP QWORD [RIP+0x165d2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd4a13b0 6 bytes {JMP QWORD [RIP+0xdfc4a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd4a13e0 6 bytes {JMP QWORD [RIP+0x11fc1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd4c3870 6 bytes {JMP QWORD [RIP+0xdd78a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd4c38a0 6 bytes {JMP QWORD [RIP+0x11d75a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefd884ae0 6 bytes {JMP QWORD [RIP+0x4ec51a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefd8e5f80 6 bytes {JMP QWORD [RIP+0x4ab07a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefd8ed120 6 bytes {JMP QWORD [RIP+0x583eda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefd8ee470 6 bytes {JMP QWORD [RIP+0x542b8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\WININET.dll!InternetReadFileExW 000007fefd9281a0 6 bytes {JMP QWORD [RIP+0x528e5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefd936c80 6 bytes {JMP QWORD [RIP+0x57a37a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefd98ec50 6 bytes {JMP QWORD [RIP+0x5023aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefd9ef170 6 bytes {JMP QWORD [RIP+0x411e8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefd9efe20 6 bytes {JMP QWORD [RIP+0x3e11da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefda18900 6 bytes {JMP QWORD [RIP+0x4b86fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefda1b3d0 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077492170 5 bytes JMP 00000000001c075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077495be0 5 bytes JMP 00000000001c03a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000774bbc00 7 bytes [48, B8, 74, 0B, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000774bbc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000774bbcb0 6 bytes {JMP QWORD [RIP+0x8ca534a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000774bbd70 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f6713} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000774bbd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 7 bytes [48, B8, 94, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000774bbd98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000774bbda0 7 bytes [48, B8, 98, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000774bbda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774bbdb0 7 bytes [48, B8, 58, 0A, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000774bbdb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000774bbdd0 7 bytes [48, B8, C4, 0A, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000774bbdd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000774bbe20 7 bytes [48, B8, 58, 0C, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000774bbe28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000774bbe30 7 bytes [48, B8, D0, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000774bbe38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774bbe60 7 bytes [48, B8, 3C, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774bbe68 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000774bbf00 7 bytes [48, B8, 70, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000774bbf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000774bc030 6 bytes {JMP QWORD [RIP+0x8cc4fca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774bc080 7 bytes [48, B8, C8, 0C, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000774bc088 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000774bcaf0 7 bytes [48, B8, B8, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000774bcaf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 7 bytes [48, B8, 70, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000774bcb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000774bcc90 7 bytes [48, B8, 84, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000774bcc98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\KERNEL32.dll!CopyFileW 0000000077258950 6 bytes {JMP QWORD [RIP+0x8e886aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 000000007726dd20 6 bytes {JMP QWORD [RIP+0x8db32da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\KERNEL32.dll!CreateProcessW 00000000772705e0 6 bytes {JMP QWORD [RIP+0x8df0a1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\KERNEL32.dll!GetThreadSelectorEntry 00000000772a10d0 6 bytes {JMP QWORD [RIP+0x8e9ff2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\KERNEL32.dll!MoveFileW 00000000772df7e0 6 bytes {JMP QWORD [RIP+0x8dc181a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\KERNEL32.dll!MoveFileA 00000000772df940 6 bytes {JMP QWORD [RIP+0x8de16ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\KERNEL32.dll!CopyFileA 00000000772e5690 6 bytes {JMP QWORD [RIP+0x8e1b96a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalA 00000000772ea2f0 6 bytes {JMP QWORD [RIP+0x8d56d0a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000772eafc0 6 bytes {JMP QWORD [RIP+0x8d9603a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\KERNEL32.dll!WinExec 00000000772eb500 6 bytes {JMP QWORD [RIP+0x8e35afa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd491900 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd49b2d1 5 bytes JMP 74737271 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd4a13b0 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd4a13e0 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd4c3870 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd4c38a0 6 bytes JMP 72676f72 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefd884ae0 6 bytes {JMP QWORD [RIP+0x4ec51a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefd8e5f80 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefd8ed120 6 bytes {JMP QWORD [RIP+0x583eda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefd8ee470 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\WININET.dll!InternetReadFileExW 000007fefd9281a0 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefd936c80 6 bytes {JMP QWORD [RIP+0x57a37a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefd98ec50 6 bytes {JMP QWORD [RIP+0x5023aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefd9ef170 6 bytes {JMP QWORD [RIP+0x411e8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefd9efe20 6 bytes {JMP QWORD [RIP+0x3e11da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefda18900 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefda1b3d0 6 bytes {JMP QWORD [RIP+0x395c2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077492170 5 bytes JMP 00000000002e075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077495be0 5 bytes JMP 00000000002e03a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000774bbc00 7 bytes [48, B8, 74, 0B, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000774bbc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000774bbcb0 6 bytes {JMP QWORD [RIP+0x8ca534a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000774bbd70 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f6713} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000774bbd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 7 bytes [48, B8, 94, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000774bbd98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000774bbda0 7 bytes [48, B8, 98, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000774bbda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774bbdb0 7 bytes [48, B8, 58, 0A, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000774bbdb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000774bbdd0 7 bytes [48, B8, C4, 0A, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000774bbdd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000774bbe20 7 bytes [48, B8, 58, 0C, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000774bbe28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000774bbe30 7 bytes [48, B8, D0, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000774bbe38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774bbe60 7 bytes [48, B8, 3C, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774bbe68 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000774bbf00 7 bytes [48, B8, 70, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000774bbf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000774bc030 6 bytes {JMP QWORD [RIP+0x8cc4fca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774bc080 7 bytes [48, B8, C8, 0C, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000774bc088 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000774bcaf0 7 bytes [48, B8, B8, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000774bcaf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 7 bytes [48, B8, 70, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000774bcb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000774bcc90 7 bytes [48, B8, 84, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000774bcc98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\KERNEL32.dll!CopyFileW 0000000077258950 6 bytes {JMP QWORD [RIP+0x8e886aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 000000007726dd20 6 bytes {JMP QWORD [RIP+0x8db32da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\KERNEL32.dll!CreateProcessW 00000000772705e0 6 bytes {JMP QWORD [RIP+0x8df0a1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\KERNEL32.dll!GetThreadSelectorEntry 00000000772a10d0 6 bytes {JMP QWORD [RIP+0x8e9ff2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\KERNEL32.dll!MoveFileW 00000000772df7e0 6 bytes {JMP QWORD [RIP+0x8dc181a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\KERNEL32.dll!MoveFileA 00000000772df940 6 bytes {JMP QWORD [RIP+0x8de16ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\KERNEL32.dll!CopyFileA 00000000772e5690 6 bytes {JMP QWORD [RIP+0x8e1b96a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalA 00000000772ea2f0 6 bytes {JMP QWORD [RIP+0x8d56d0a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000772eafc0 6 bytes {JMP QWORD [RIP+0x8d9603a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\KERNEL32.dll!WinExec 00000000772eb500 6 bytes {JMP QWORD [RIP+0x8e35afa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd491900 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd49b2d1 5 bytes {JMP QWORD [RIP+0x165d2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd4a13b0 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd4a13e0 6 bytes {JMP QWORD [RIP+0x11fc1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd4c3870 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd4c38a0 6 bytes {JMP QWORD [RIP+0x11d75a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefd884ae0 6 bytes {JMP QWORD [RIP+0x4ec51a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefd8e5f80 6 bytes {JMP QWORD [RIP+0x4ab07a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefd8ed120 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefd8ee470 6 bytes {JMP QWORD [RIP+0x542b8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\WININET.dll!InternetReadFileExW 000007fefd9281a0 6 bytes {JMP QWORD [RIP+0x528e5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefd936c80 6 bytes {JMP QWORD [RIP+0x57a37a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefd98ec50 6 bytes JMP 7feff41 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefd9ef170 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefd9efe20 6 bytes JMP 7d .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefda18900 6 bytes {JMP QWORD [RIP+0x4b86fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefda1b3d0 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077492170 5 bytes JMP 000000000024075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077495be0 5 bytes JMP 00000000002403a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000774bbc00 7 bytes [48, B8, 74, 0B, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000774bbc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000774bbcb0 6 bytes {JMP QWORD [RIP+0x8ca534a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000774bbd70 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f6713} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000774bbd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774bbd90 7 bytes [48, B8, 94, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000774bbd98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000774bbda0 7 bytes [48, B8, 98, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000774bbda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774bbdb0 7 bytes [48, B8, 58, 0A, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000774bbdb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000774bbdd0 7 bytes [48, B8, C4, 0A, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000774bbdd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000774bbe20 7 bytes [48, B8, 58, 0C, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000774bbe28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000774bbe30 7 bytes [48, B8, D0, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000774bbe38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774bbe60 7 bytes [48, B8, 3C, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774bbe68 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000774bbf00 7 bytes [48, B8, 70, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000774bbf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000774bc030 6 bytes {JMP QWORD [RIP+0x8cc4fca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774bc080 7 bytes [48, B8, C8, 0C, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000774bc088 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000774bcaf0 7 bytes [48, B8, B8, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000774bcaf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774bcb40 7 bytes [48, B8, 70, 0F, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000774bcb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000774bcc90 7 bytes [48, B8, 84, 0D, 67, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000774bcc98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\KERNEL32.dll!CopyFileW 0000000077258950 6 bytes {JMP QWORD [RIP+0x8e886aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 000000007726dd20 6 bytes {JMP QWORD [RIP+0x8db32da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\KERNEL32.dll!CreateProcessW 00000000772705e0 6 bytes {JMP QWORD [RIP+0x8df0a1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\KERNEL32.dll!GetThreadSelectorEntry 00000000772a10d0 6 bytes {JMP QWORD [RIP+0x8e9ff2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\KERNEL32.dll!MoveFileW 00000000772df7e0 6 bytes {JMP QWORD [RIP+0x8dc181a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\KERNEL32.dll!MoveFileA 00000000772df940 6 bytes {JMP QWORD [RIP+0x8de16ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\KERNEL32.dll!CopyFileA 00000000772e5690 6 bytes {JMP QWORD [RIP+0x8e1b96a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalA 00000000772ea2f0 6 bytes {JMP QWORD [RIP+0x8d56d0a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000772eafc0 6 bytes {JMP QWORD [RIP+0x8d9603a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\KERNEL32.dll!WinExec 00000000772eb500 6 bytes {JMP QWORD [RIP+0x8e35afa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd491900 6 bytes {JMP QWORD [RIP+0xcf6fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd49b2d1 5 bytes {JMP QWORD [RIP+0x165d2a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd4a13b0 6 bytes {JMP QWORD [RIP+0xdfc4a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd4a13e0 6 bytes {JMP QWORD [RIP+0x11fc1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd4c3870 6 bytes {JMP QWORD [RIP+0xdd78a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd4c38a0 6 bytes {JMP QWORD [RIP+0x11d75a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefd884ae0 6 bytes {JMP QWORD [RIP+0x4ec51a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefd8e5f80 6 bytes {JMP QWORD [RIP+0x4ab07a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefd8ed120 6 bytes {JMP QWORD [RIP+0x583eda]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefd8ee470 6 bytes {JMP QWORD [RIP+0x542b8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\WININET.dll!InternetReadFileExW 000007fefd9281a0 6 bytes {JMP QWORD [RIP+0x528e5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefd936c80 6 bytes {JMP QWORD [RIP+0x57a37a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefd98ec50 6 bytes JMP 7feff41 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefd9ef170 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefd9efe20 6 bytes {JMP QWORD [RIP+0x3e11da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefda18900 6 bytes {JMP QWORD [RIP+0x4b86fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefda1b3d0 6 bytes JMP 3f191f ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010b3e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010b3c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010b4614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010b4a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010b486c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\ataport.SYS[ntoskrnl.exe!KeInsertQueueDpc] [fffffa80066a9840] [unknown section] IAT C:\Windows\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!KeInsertQueueDpc] [fffffa800830d840] [unknown section] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee723fd14] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee723f59c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee723fcfc] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee724005c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3496] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee637bc84] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee723fd14] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee723f59c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee723fcfc] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee724005c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5056] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee637bc84] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee723fd14] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee723f59c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee723fcfc] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee724005c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5060] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee637bc84] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee723fd14] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee723f59c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee723fcfc] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee724005c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1120] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee637bc84] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.87\chrome_child.dll ---- Devices - GMER 2.2 ---- Device \Driver\atapi \Device\Ide\IdePort0 fffffa80067b02c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80067b02c0 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-4 fffffa80067b02c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80067b02c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa80067b02c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80067b02c0 Device \FileSystem\Ntfs \Ntfs fffffa80067be2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80083722c0 Device \Driver\cdrom \Device\CdRom0 fffffa80080af2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{3C71FFB0-58C8-4BB2-AD41-007420F5B3A3} fffffa80081042c0 Device \Driver\cdrom \Device\CdRom1 fffffa80080af2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80083722c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa8007cb52c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80083722c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{E4557D25-D8FD-4624-A44B-34DE254664D5} fffffa80081042c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80081042c0 Device \Driver\dtsoftbus01 \Device\00000077 fffffa8007cb52c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80067b02c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80083722c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80067b02c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80067b02c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80067b02c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80067b02c0]<< sptd.sys ataport.SYS pciide.sys fffffa80067b02c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800779f060] fffffa800779f060 Trace 3 CLASSPNP.SYS[fffff88000c0143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-4[0xfffffa8007797060] fffffa8007797060 Trace \Driver\atapi[0xfffffa800681f920] -> IRP_MJ_CREATE -> 0xfffffa80067b02c0 fffffa80067b02c0 ---- Threads - GMER 2.2 ---- Thread C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [4952:4064] 000007fef8375024 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [4952:1744] 000007fef8375024 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [4952:2672] 000007fef156cd20 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [1164:2368] 000007fee3eb6d40 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [1164:2096] 000007fef156cd20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\PDFSFilter\Parameters\{391df4ca-81ee-11e2-8de3-806e6f6e6963}@NumExtendFileExtentsSaved 763817 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1F 0x1E 0x58 0x42 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA0 0x08 0xD2 0x76 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x52 0xE5 0xB4 0x93 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1F 0x1E 0x58 0x42 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA0 0x08 0xD2 0x76 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x52 0xE5 0xB4 0x93 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice@Progid WMP11.AssocFile.WMD Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice@Progid WMP11.AssocFile.WMS Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice@Progid WMP11.AssocFile.WMZ ---- EOF - GMER 2.2 ----