GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-02-26 19:15:21 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000083 WDC_____ rev.01.0 298,09GB Running: b1gj3q7w.exe; Driver: C:\Users\Jars\AppData\Local\Temp\pgldrpoc.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88005cb630c 12 bytes {MOV RAX, 0xfffffa8008dd22a0; JMP RAX} ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000049dd0470 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0xffffffffd2ab4690} .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000049dd0460 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000049dd0370 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000049dd0480 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 0000000049dd03e0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000049dd0320 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 0000000049dd03b0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000049dd0390 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 0000000049dd02e0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000049dd0440 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 0000000049dd02d0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000049dd0310 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 0000000049dd03c0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 0000000049dd03f0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0xffffffffd2ab4190} .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000049dd0230 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000049dd0490 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 0000000049dd03a0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 0000000049dd02f0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000049dd0350 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000049dd0290 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0xffffffffd2ab3b90} .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 0000000049dd02b0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 0000000049dd03d0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000049dd0330 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000049dd0410 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000049dd0240 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 0000000049dd01e0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000049dd0250 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 0000000049dd04a0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0xffffffffd2ab3890} .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 0000000049dd04b0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0xffffffffd2ab3890} .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000049dd0300 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000049dd0360 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 0000000049dd02a0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 0000000049dd02c0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000049dd0380 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000049dd0340 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000049dd0450 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000049dd0260 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000049dd0270 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000049dd0400 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 0000000049dd01f0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000049dd0210 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000049dd0200 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000049dd0420 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000049dd0430 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000049dd0220 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000049dd0280 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\wininit.exe[572] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720f18d 1 byte [62] .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000049dd0470 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0xffffffffd2ab4690} .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000049dd0460 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000049dd0370 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000049dd0480 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 0000000049dd03e0 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000049dd0320 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 0000000049dd03b0 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000049dd0390 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 0000000049dd02e0 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000049dd0440 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 0000000049dd02d0 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000049dd0310 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 0000000049dd03c0 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 0000000049dd03f0 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0xffffffffd2ab4190} .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000049dd0230 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000049dd0490 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 0000000049dd03a0 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 0000000049dd02f0 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000049dd0350 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000049dd0290 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0xffffffffd2ab3b90} .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 0000000049dd02b0 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 0000000049dd03d0 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000049dd0330 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000049dd0410 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000049dd0240 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 0000000049dd01e0 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000049dd0250 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 0000000049dd04a0 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0xffffffffd2ab3890} .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 0000000049dd04b0 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0xffffffffd2ab3890} .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000049dd0300 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000049dd0360 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 0000000049dd02a0 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 0000000049dd02c0 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000049dd0380 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000049dd0340 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000049dd0450 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000049dd0260 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000049dd0270 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000049dd0400 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 0000000049dd01f0 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000049dd0210 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000049dd0200 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000049dd0420 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000049dd0430 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000049dd0220 .text C:\Windows\system32\csrss.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000049dd0280 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\services.exe[628] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720f18d 1 byte [62] .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\winlogon.exe[744] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720f18d 1 byte [62] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720f18d 1 byte [62] .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\System32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\System32\svchost.exe[448] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720f18d 1 byte [62] .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\svchost.exe[476] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720f18d 1 byte [62] .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\atieclxx.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f7a315 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1460] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f7a315 1 byte [62] .text C:\Program Files\Avast\afwServ.exe[1536] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f7a315 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\System32\spoolsv.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0xffffffff88d54690} .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0xffffffff88d54190} .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0xffffffff88d53b90} .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0xffffffff88d53890} .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0xffffffff88d53890} .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000000070280 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1884] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f7a315 1 byte [62] .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 000000000038075c .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000003803a4 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000000060470 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0xffffffff88d44690} .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000000060460 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 0000000000380b14 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 0000000000380ecc .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000000060370 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000000060480 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 000000000038163c .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000000060320 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000000603b0 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000000060390 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000000602e0 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000000060440 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000000602d0 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000000060310 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000000603c0 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 0000000000381284 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000000603f0 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0xffffffff88d44190} .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000000060230 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000000060490 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000000603a0 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000000602f0 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000000060350 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000000060290 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0xffffffff88d43b90} .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000000602b0 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000000603d0 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000000060330 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000000060410 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000000060240 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000000601e0 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000000060250 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000000604a0 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0xffffffff88d43890} .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000000604b0 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0xffffffff88d43890} .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000000060300 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000000060360 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000000602a0 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000000602c0 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000000060380 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000000060340 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000000060450 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000000060260 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000000060270 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000003819f4 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000000601f0 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000000060210 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000000060200 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000000060420 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000000060430 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000000060220 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000000060280 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\system32\taskhost.exe[2408] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 000000000031075c .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000003103a4 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 0000000000310b14 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 0000000000310ecc .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 000000000031163c .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 0000000000311284 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000003119f4 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 000000000036075c .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000003603a4 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 0000000000360b14 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 0000000000360ecc .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 000000000036163c .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 0000000000361284 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000003619f4 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\system32\Dwm.exe[2488] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 00000000002e075c .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000002e03a4 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 00000000002e0b14 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 00000000002e0ecc .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000002e163c .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 00000000002e1284 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000002e19f4 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\Explorer.EXE[2552] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007720f18d 1 byte [62] .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\Explorer.EXE[2552] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 00000000003d075c .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000003d03a4 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 00000000003d0b14 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 00000000003d0ecc .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000003d163c .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 00000000003d1284 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000003d19f4 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\system32\taskeng.exe[2624] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774cfad0 5 bytes JMP 0000000000030600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774cfb68 5 bytes JMP 0000000000030804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774cfcc0 5 bytes JMP 0000000000030c0c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774d0048 5 bytes JMP 0000000000030a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000774d1930 5 bytes JMP 0000000000030e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774ed2f6 5 bytes JMP 00000000000303fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774eeb2a 5 bytes JMP 00000000000301f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f7a315 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e3ee21 5 bytes JMP 00000000003c01f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e4392d 5 bytes JMP 00000000003c0a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074e44994 5 bytes JMP 00000000003c03fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e481f5 5 bytes JMP 00000000003c0804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e48f4c 5 bytes JMP 00000000003c0600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074e05181 5 bytes JMP 00000000003d1014 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074e05254 5 bytes JMP 00000000003d0804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074e053d5 5 bytes JMP 00000000003d0a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074e054c2 5 bytes JMP 00000000003d0c0c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074e055e2 5 bytes JMP 00000000003d0e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074e0567c 5 bytes JMP 00000000003d01f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074e0589f 5 bytes JMP 00000000003d03fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2788] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074e05a22 5 bytes JMP 00000000003d0600 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 000000000011075c .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000001103a4 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 0000000000110b14 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 0000000000110ecc .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 000000000011163c .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 0000000000111284 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000001119f4 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007720f18d 1 byte [62] .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\System32\svchost.exe[2864] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 000000000016075c .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000001603a4 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 0000000000160b14 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 0000000000160ecc .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 000000000016163c .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 0000000000161284 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000001619f4 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\system32\svchost.exe[2912] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 00000000003e075c .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000003e03a4 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 00000000003e0b14 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 00000000003e0ecc .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000003e163c .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 00000000003e1284 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000003e19f4 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\System32\svchost.exe[2996] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 00000000001b075c .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000001b03a4 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 00000000001b0b14 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 00000000001b0ecc .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000001b163c .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 00000000001b1284 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000001b19f4 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 00000000001a0470 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0xffffffff88e84690} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 00000000001a0460 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 00000000001a0370 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 00000000001a0480 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000001a03e0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 00000000001a0320 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000001a03b0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 00000000001a0390 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000001a02e0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 00000000001a0440 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000001a02d0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 00000000001a0310 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000001a03c0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000001a03f0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0xffffffff88e84190} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 00000000001a0230 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 00000000001a0490 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000001a03a0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000001a02f0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 00000000001a0350 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 00000000001a0290 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0xffffffff88e83b90} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000001a02b0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000001a03d0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 00000000001a0330 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 00000000001a0410 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 00000000001a0240 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000001a01e0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 00000000001a0250 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000001a04a0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0xffffffff88e83890} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000001a04b0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0xffffffff88e83890} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 00000000001a0300 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 00000000001a0360 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000001a02a0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000001a02c0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 00000000001a0380 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 00000000001a0340 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 00000000001a0450 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 00000000001a0260 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 00000000001a0270 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000001a0400 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000001a01f0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 00000000001a0210 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 00000000001a0200 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 00000000001a0420 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 00000000001a0430 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 00000000001a0220 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 00000000001a0280 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774cfad0 5 bytes JMP 0000000000030600 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774cfb68 5 bytes JMP 0000000000030804 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774cfcc0 5 bytes JMP 0000000000030c0c .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774d0048 5 bytes JMP 0000000000030a08 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000774d1930 5 bytes JMP 0000000000030e10 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774ed2f6 5 bytes JMP 00000000000303fc .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774eeb2a 5 bytes JMP 00000000000301f8 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f7a315 1 byte [62] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074e05181 5 bytes JMP 00000000000f1014 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074e05254 5 bytes JMP 00000000000f0804 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074e053d5 5 bytes JMP 00000000000f0a08 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074e054c2 5 bytes JMP 00000000000f0c0c .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074e055e2 5 bytes JMP 00000000000f0e10 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074e0567c 5 bytes JMP 00000000000f01f8 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074e0589f 5 bytes JMP 00000000000f03fc .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074e05a22 5 bytes JMP 00000000000f0600 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e3ee21 5 bytes JMP 00000000001001f8 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e4392d 5 bytes JMP 0000000000100a08 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074e44994 5 bytes JMP 00000000001003fc .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e481f5 5 bytes JMP 0000000000100804 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1928] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e48f4c 5 bytes JMP 0000000000100600 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 00000000003c075c .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000003c03a4 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0xffffffff88d54690} .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 00000000003c0b14 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 00000000003c0ecc .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000003c163c .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 00000000003c1284 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0xffffffff88d54190} .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0xffffffff88d53b90} .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0xffffffff88d53890} .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0xffffffff88d53890} .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000003c19f4 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 00000000001e075c .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000001e03a4 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 00000000001e0b14 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 00000000001e0ecc .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000001e163c .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 00000000001e1284 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000001e19f4 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2744] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 000000000020075c .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000002003a4 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 0000000000200b14 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 0000000000200ecc .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 000000000020163c .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 0000000000201284 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000002019f4 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\System32\WUDFHost.exe[3268] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 000000000008075c .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000000803a4 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 0000000000080b14 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 0000000000080ecc .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 000000000008163c .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 0000000000081284 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000000819f4 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\servicing\TrustedInstaller.exe[3340] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 00000000004b075c .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000004b03a4 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000000070470 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0xffffffff88d54690} .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000000070460 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 00000000004b0b14 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 00000000004b0ecc .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000000070370 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000000070480 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000004b163c .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000000070320 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000000703b0 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000000070390 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000000702e0 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000000070440 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000000702d0 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000000070310 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000000703c0 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 00000000004b1284 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000000703f0 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0xffffffff88d54190} .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000000070230 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000000070490 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000000703a0 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000000702f0 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000000070350 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000000070290 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0xffffffff88d53b90} .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000000702b0 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000000703d0 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000000070330 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000000070410 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000000070240 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000000701e0 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000000070250 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000000704a0 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0xffffffff88d53890} .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000000704b0 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0xffffffff88d53890} .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000000070300 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000000070360 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000000702a0 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000000702c0 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000000070380 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000000070340 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000000070450 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000000070260 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000000070270 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000004b19f4 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000000701f0 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000000070210 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000000070200 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000000070420 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000000070430 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000000070220 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000000070280 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007720f18d 1 byte [62] .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Program Files\Elantech\ETDCtrl.exe[3656] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 000000000019075c .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000001903a4 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 0000000000190b14 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 0000000000190ecc .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 000000000019163c .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 0000000000191284 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000001919f4 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\system32\SearchIndexer.exe[3992] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Program Files\Avast\AvastUI.exe[4044] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f7a315 1 byte [62] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 000000000012075c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000001203a4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 0000000000120b14 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 0000000000120ecc .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 000000000012163c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 0000000000121284 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000001219f4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007720f18d 1 byte [62] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3320] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Windows\system32\wbem\wmiprvse.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 000000000043075c .text C:\Windows\system32\wbem\wmiprvse.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000004303a4 .text C:\Windows\system32\wbem\wmiprvse.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 0000000000430b14 .text C:\Windows\system32\wbem\wmiprvse.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 0000000000430ecc .text C:\Windows\system32\wbem\wmiprvse.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 000000000043163c .text C:\Windows\system32\wbem\wmiprvse.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 0000000000431284 .text C:\Windows\system32\wbem\wmiprvse.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000004319f4 .text C:\Windows\system32\wbem\wmiprvse.exe[3304] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\system32\wbem\wmiprvse.exe[3304] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\system32\wbem\wmiprvse.exe[3304] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\system32\wbem\wmiprvse.exe[3304] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\system32\wbem\wmiprvse.exe[3304] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\system32\wbem\wmiprvse.exe[3304] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\system32\wbem\wmiprvse.exe[3304] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\system32\wbem\wmiprvse.exe[3304] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 000000000026075c .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000002603a4 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 0000000000260b14 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 0000000000260ecc .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 000000000026163c .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 0000000000261284 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000002619f4 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\system32\wbem\wmiprvse.exe[1408] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774cfad0 5 bytes JMP 0000000000030600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774cfb68 5 bytes JMP 0000000000030804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774cfcc0 5 bytes JMP 0000000000030c0c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774d0048 5 bytes JMP 0000000000030a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000774d1930 5 bytes JMP 0000000000030e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774ed2f6 5 bytes JMP 00000000000303fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774eeb2a 5 bytes JMP 00000000000301f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f7a315 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e3ee21 5 bytes JMP 00000000002401f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e4392d 5 bytes JMP 0000000000240a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074e44994 5 bytes JMP 00000000002403fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e481f5 5 bytes JMP 0000000000240804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e48f4c 5 bytes JMP 0000000000240600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074e05181 5 bytes JMP 0000000000251014 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074e05254 5 bytes JMP 0000000000250804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074e053d5 5 bytes JMP 0000000000250a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074e054c2 5 bytes JMP 0000000000250c0c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074e055e2 5 bytes JMP 0000000000250e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074e0567c 5 bytes JMP 00000000002501f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074e0589f 5 bytes JMP 00000000002503fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3848] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074e05a22 5 bytes JMP 0000000000250600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774cfad0 5 bytes JMP 00000000001d0600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774cfb68 5 bytes JMP 00000000001d0804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774cfcc0 5 bytes JMP 00000000001d0c0c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774d0048 5 bytes JMP 00000000001d0a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000774d1930 5 bytes JMP 00000000001d0e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774ed2f6 5 bytes JMP 00000000001d03fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774eeb2a 5 bytes JMP 00000000001d01f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f7a315 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e3ee21 5 bytes JMP 00000000001e01f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e4392d 5 bytes JMP 00000000001e0a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074e44994 5 bytes JMP 00000000001e03fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e481f5 5 bytes JMP 00000000001e0804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e48f4c 5 bytes JMP 00000000001e0600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074e05181 5 bytes JMP 00000000001f1014 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074e05254 5 bytes JMP 00000000001f0804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074e053d5 5 bytes JMP 00000000001f0a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074e054c2 5 bytes JMP 00000000001f0c0c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074e055e2 5 bytes JMP 00000000001f0e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074e0567c 5 bytes JMP 00000000001f01f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074e0589f 5 bytes JMP 00000000001f03fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[920] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074e05a22 5 bytes JMP 00000000001f0600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000774803e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000077480400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774cfad0 5 bytes JMP 0000000000030600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774cfb68 5 bytes JMP 0000000000030804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774cfcc0 5 bytes JMP 0000000000030c0c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774d0048 5 bytes JMP 0000000000030a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000774d1930 5 bytes JMP 0000000000030e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774ed2f6 5 bytes JMP 00000000000303fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774eeb2a 5 bytes JMP 00000000000301f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f7a315 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074e3ee21 5 bytes JMP 00000000002401f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074e4392d 5 bytes JMP 0000000000240a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074e44994 5 bytes JMP 00000000002403fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074e481f5 5 bytes JMP 0000000000240804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074e48f4c 5 bytes JMP 0000000000240600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074e05181 5 bytes JMP 0000000000251014 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074e05254 5 bytes JMP 0000000000250804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074e053d5 5 bytes JMP 0000000000250a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074e054c2 5 bytes JMP 0000000000250c0c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074e055e2 5 bytes JMP 0000000000250e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074e0567c 5 bytes JMP 00000000002501f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074e0589f 5 bytes JMP 00000000002503fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[484] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074e05a22 5 bytes JMP 0000000000250600 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 000000000016075c .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000001603a4 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 0000000000160b14 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 0000000000160ecc .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 000000000016163c .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 0000000000161284 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000001619f4 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\System32\svchost.exe[4312] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Program Files (x86)\ASUS\ControlDeck\ControlDeck.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774cfad0 5 bytes JMP 0000000000030600 .text C:\Program Files (x86)\ASUS\ControlDeck\ControlDeck.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774cfb68 5 bytes JMP 0000000000030804 .text C:\Program Files (x86)\ASUS\ControlDeck\ControlDeck.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774cfcc0 5 bytes JMP 0000000000030c0c .text C:\Program Files (x86)\ASUS\ControlDeck\ControlDeck.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774d0048 5 bytes JMP 0000000000030a08 .text C:\Program Files (x86)\ASUS\ControlDeck\ControlDeck.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000774d1930 5 bytes JMP 0000000000030e10 .text C:\Program Files (x86)\ASUS\ControlDeck\ControlDeck.exe[3232] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774ed2f6 5 bytes JMP 00000000000303fc .text C:\Program Files (x86)\ASUS\ControlDeck\ControlDeck.exe[3232] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774eeb2a 5 bytes JMP 00000000000301f8 .text C:\Program Files (x86)\ASUS\ControlDeck\ControlDeck.exe[3232] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f7a315 1 byte [62] .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 000000000020075c .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000002003a4 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 0000000000200b14 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 0000000000200ecc .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 000000000020163c .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 0000000000201284 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000002019f4 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 00000000001b075c .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000001b03a4 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 00000000001b0b14 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 00000000001b0ecc .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000001b163c .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 00000000001b1284 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000001b19f4 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007720f18d 1 byte [62] .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\system32\svchost.exe[3152] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 00000000003a075c .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000003a03a4 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 00000000003a0b14 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 00000000003a0ecc .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000003a163c .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 00000000003a1284 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000003a19f4 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\System32\svchost.exe[2732] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 00000000001f075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000001f03a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 00000000001f0b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 00000000001f0ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000001f163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 00000000001f1284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000001f19f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1840] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007720f18d 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1840] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1840] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1840] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1840] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f2280 5 bytes JMP 000000000028075c .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f6130 5 bytes JMP 00000000002803a4 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000077480470 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000077480460 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007731beb0 5 bytes JMP 0000000000280b14 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007731bf10 5 bytes JMP 0000000000280ecc .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000077480370 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000077480480 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 000000000028163c .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000077480320 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000774803b0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000077480390 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000774802e0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000077480440 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000774802d0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000077480310 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000774803c0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007731c230 5 bytes JMP 0000000000281284 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000774803f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000077480230 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000077480490 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000774803a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000774802f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000077480350 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000077480290 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000774802b0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000774803d0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000077480330 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000077480410 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000077480240 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000774801e0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000077480250 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000774804a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000774804b0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000077480300 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000077480360 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000774802a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000774802c0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000077480380 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000077480340 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000077480450 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000077480260 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000077480270 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 00000000002819f4 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000774801f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000077480210 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000077480200 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000077480420 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000077480430 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000077480220 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000077480280 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007fe7ddd1dac .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007fe7ddd0ecc .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007fe7ddd1284 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007fe7ddd163c .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007fe7ddd19f4 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007fe7ddd03a4 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007fe7ddd075c .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[996] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007fe7ddd0b14 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007731bde0 1 byte JMP 0000000000040470 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007731bde2 3 bytes {JMP 0xffffffff88d24690} .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007731be30 5 bytes JMP 0000000000040460 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007731bf90 5 bytes JMP 0000000000040370 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007731bfe0 5 bytes JMP 0000000000040480 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007731bff0 5 bytes JMP 00000000000403e0 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007731c0a0 5 bytes JMP 0000000000040320 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007731c0d0 5 bytes JMP 00000000000403b0 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007731c0f0 5 bytes JMP 0000000000040390 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007731c130 5 bytes JMP 00000000000402e0 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007731c180 5 bytes JMP 0000000000040440 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007731c1b0 5 bytes JMP 00000000000402d0 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007731c1d0 5 bytes JMP 0000000000040310 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007731c210 5 bytes JMP 00000000000403c0 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007731c260 1 byte JMP 00000000000403f0 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007731c262 3 bytes {JMP 0xffffffff88d24190} .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007731c3c0 5 bytes JMP 0000000000040230 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007731c580 5 bytes JMP 0000000000040490 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007731c5b0 5 bytes JMP 00000000000403a0 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007731c690 5 bytes JMP 00000000000402f0 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007731c6a0 5 bytes JMP 0000000000040350 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007731c700 1 byte JMP 0000000000040290 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007731c702 3 bytes {JMP 0xffffffff88d23b90} .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007731c790 5 bytes JMP 00000000000402b0 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007731c7b0 5 bytes JMP 00000000000403d0 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007731c7c0 5 bytes JMP 0000000000040330 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007731c830 5 bytes JMP 0000000000040410 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007731c860 5 bytes JMP 0000000000040240 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007731cb20 5 bytes JMP 00000000000401e0 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007731cbe0 5 bytes JMP 0000000000040250 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007731cc10 1 byte JMP 00000000000404a0 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007731cc12 3 bytes {JMP 0xffffffff88d23890} .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007731cc20 1 byte JMP 00000000000404b0 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007731cc22 3 bytes {JMP 0xffffffff88d23890} .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007731cc50 5 bytes JMP 0000000000040300 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007731cc60 5 bytes JMP 0000000000040360 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007731ccc0 5 bytes JMP 00000000000402a0 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007731cd10 5 bytes JMP 00000000000402c0 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007731cd40 5 bytes JMP 0000000000040380 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007731cd50 5 bytes JMP 0000000000040340 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007731d040 5 bytes JMP 0000000000040450 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007731d240 5 bytes JMP 0000000000040260 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007731d250 5 bytes JMP 0000000000040270 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007731d260 5 bytes JMP 0000000000040400 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007731d420 5 bytes JMP 00000000000401f0 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007731d430 5 bytes JMP 0000000000040210 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007731d4a0 5 bytes JMP 0000000000040200 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007731d500 5 bytes JMP 0000000000040420 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007731d510 5 bytes JMP 0000000000040430 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007731d520 5 bytes JMP 0000000000040220 .text C:\Windows\system32\AUDIODG.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007731d600 5 bytes JMP 0000000000040280 .text C:\Users\Jars\Desktop\b1gj3q7w.exe[3896] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f7a315 1 byte [62] ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010b6f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010b6cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010b769c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010b7a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010b78f4] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortCopyMemory] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortGetPhysicalAddress] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortReadRegisterUlong] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortInitializeEx] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortDeviceStateChange] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortEtwTraceLog] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortRegistryFreeBuffer] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortGetBusData] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortRegistryRead] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortRequestCallback] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortStallExecution] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortGetUnCachedExtension] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortReadRegisterUchar] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortBuildRequestSenseIrb] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortReleaseRequestSenseIrb] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortCompleteRequest] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortNotification] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortGetDeviceBase] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortGetScatterGatherList] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortRegistryAllocateBuffer] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[PCIIDEX.SYS!AtaPortWriteRegisterUlong] [?] IAT C:\Windows\System32\Drivers\a8v0ifx3.SYS[NTOSKRNL.exe!KeBugCheckEx] [?] ---- Devices - GMER 2.2 ---- Device \Driver\JMCR \Device\Scsi\JMCR3Port3Path0TargetffLun0 fffffa8008e4b2c0 Device \Driver\JMCR \Device\Scsi\JMCR1 fffffa8008e4b2c0 Device \Driver\JMCR \Device\Scsi\JMCR2Port2Path0TargetffLun0 fffffa8008e4b2c0 Device \Driver\JMCR \Device\Scsi\JMCR2 fffffa8008e4b2c0 Device \Driver\JMCR \Device\Scsi\JMCR3 fffffa8008e4b2c0 Device \Driver\JMCR \Device\Scsi\JMCR4Port4Path0TargetffLun0 fffffa8008e4b2c0 Device \Driver\JMCR \Device\Scsi\JMCR4 fffffa8008e4b2c0 Device \Driver\JMCR \Device\Scsi\JMCR1Port1Path0TargetffLun0 fffffa8008e4b2c0 Device \Driver\a8v0ifx3 \Device\Scsi\a8v0ifx31 fffffa8008e602c0 Device \FileSystem\Ntfs \Ntfs fffffa80061d82c0 Device \FileSystem\fastfat \Fat fffffa8009b862c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{2D6D2239-AA0B-4BAE-AD2B-07A1E8E17337} fffffa80061bf2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{9ACC4012-5376-4061-8210-D9ABE9A2BCF1} fffffa80061bf2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8008dd62c0 Device \Driver\iaStorA \Device\00000084 fffffa80061d42c0 Device \Driver\iaStorA \Device\RaidPort0 fffffa80061d42c0 Device \Driver\cdrom \Device\CdRom0 fffffa8008bd92c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{93438653-A06C-451C-A3CE-260FEB8B08A5} fffffa80061bf2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8008dd62c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8008dd62c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80061bf2c0 Device \Driver\iaStorA \Device\ScsiPort0 fffffa80061d42c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8008dd62c0 Device \Driver\JMCR \Device\ScsiPort1 fffffa8008e4b2c0 Device \Driver\iaStorA \Device\00000083 fffffa80061d42c0 Device \Driver\JMCR \Device\ScsiPort2 fffffa8008e4b2c0 Device \Driver\JMCR \Device\ScsiPort3 fffffa8008e4b2c0 Device \Driver\JMCR \Device\ScsiPort4 fffffa8008e4b2c0 Device \Driver\a8v0ifx3 \Device\ScsiPort5 fffffa8008e602c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys iaStorF.sys ACPI.sys >>UNKNOWN [0xfffffa80061d42c0]<< sptd.sys storport.sys hal.dll iaStorA.sys fffffa80061d42c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80067d9060] fffffa80067d9060 Trace 3 CLASSPNP.SYS[fffff88001f6343f] -> nt!IofCallDriver -> [0xfffffa8006677c50] fffffa8006677c50 Trace 5 iaStorF.sys[fffff88001f00f84] -> nt!IofCallDriver -> [0xfffffa800545a040] fffffa800545a040 Trace 7 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\00000083[0xfffffa800635f5c0] fffffa800635f5c0 Trace \Driver\iaStorA[0xfffffa8006358390] -> IRP_MJ_CREATE -> 0xfffffa80061d42c0 fffffa80061d42c0 ---- Modules - GMER 2.2 ---- Module \SystemRoot\System32\Drivers\a8v0ifx3.SYS (MS AHCI 1.0 Standard Driver/Microsoft Corporation SIGNED)(2011-08-06 20:01:23) fffff88005e0f000-fffff88005e5b000 (311296 bytes) ---- Threads - GMER 2.2 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [696:4452] 000007fefe46fb40 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [696:4472] 000007fefaaa2be0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [696:4480] 000007fef06e8a28 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [696:4500] 000007fef06e8a28 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [696:4504] 000007fef06e8a28 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [696:4572] 000007fef7685124 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [696:1128] 000007fef064d668 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [696:3504] 000007fef06e8a28 Thread C:\Windows\System32\svchost.exe [2732:5112] 000007fee8189688 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\000272b10f18 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\000272b10f18@e4ec10f43c66 0x2E 0x2B 0x00 0x8A ... Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\74f06dbcec5f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC2 0x7B 0x3C 0xC5 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0xA9 0x22 0xDA ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xEA 0xF2 0x64 0xB1 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7C 0x57 0x62 0xD9 ... Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 6 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@ImagePath \??\C:\Windows\system32\drivers\aswFW.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@DisplayName avast! TDI Firewall Driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Description avast! TDI Firewall Driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Tag 15 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters@ProgramFolder \DosDevices\C:\Program Files\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Tag 8 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 598 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 7946711 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@Enabled 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 14 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ImagePath "C:\Program Files\Avast\afwServ.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@DisplayName avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Description Implements main functionality for avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272b10f18 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272b10f18@e4ec10f43c66 0x54 0xA6 0x42 0xF7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272b10f18@2c5a05368b22 0x8C 0x4B 0x1F 0xDE ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dbcec5f Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{2D6D2239-AA0B-4BAE-AD2B-07A1E8E17337}@LeaseObtainedTime 1488129580 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{2D6D2239-AA0B-4BAE-AD2B-07A1E8E17337}@T1 1488129610 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{2D6D2239-AA0B-4BAE-AD2B-07A1E8E17337}@T2 1488129632 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{2D6D2239-AA0B-4BAE-AD2B-07A1E8E17337}@LeaseTerminatesTime 1488129640 Reg HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\Interfaces\{2d6d2239-aa0b-4bae-ad2b-07a1e8e17337}@Dhcpv6MaxLeaseExpireTime 1488129628 Reg HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\Interfaces\{2d6d2239-aa0b-4bae-ad2b-07a1e8e17337}@Dhcpv6LeaseObtainedTime 1488129568 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Tag 6 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet003\services\aswFW@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswFW@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswFW@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswFW@ImagePath \??\C:\Windows\system32\drivers\aswFW.sys Reg HKLM\SYSTEM\ControlSet003\services\aswFW@DisplayName avast! TDI Firewall Driver Reg HKLM\SYSTEM\ControlSet003\services\aswFW@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet003\services\aswFW@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet003\services\aswFW@Description avast! TDI Firewall Driver Reg HKLM\SYSTEM\ControlSet003\services\aswFW@Tag 15 Reg HKLM\SYSTEM\ControlSet003\services\aswFW\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswFW\Parameters@ProgramFolder \DosDevices\C:\Program Files\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswFW\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswKbd@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswKbd@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\ControlSet003\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\ControlSet003\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\ControlSet003\services\aswKbd@Tag 8 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet003\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet003\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters@BootCounter 598 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters@TickCounter 7946711 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet003\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@Enabled 1 Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Tag 14 Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@Start 3 Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@ImagePath "C:\Program Files\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@Type 32 Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@Start 2 Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@ImagePath "C:\Program Files\Avast\afwServ.exe" Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@DisplayName avast! Firewall Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@WOW64 1 Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@Description Implements main functionality for avast! Firewall Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\000272b10f18 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\000272b10f18@e4ec10f43c66 0x54 0xA6 0x42 0xF7 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\000272b10f18@2c5a05368b22 0x8C 0x4B 0x1F 0xDE ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\74f06dbcec5f (not active ControlSet) ---- EOF - GMER 2.2 ----