GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-13 19:54:45 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000082 WDC_____ rev.01.0 298,09GB Running: b1gj3q7w.exe; Driver: C:\Users\Jars\AppData\Local\Temp\pgldrpoc.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88000dd030c 12 bytes {MOV RAX, 0xfffffa8008d982a0; JMP RAX} ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 0000000049e40470 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0xffffffffd2604690} .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 0000000049e40460 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 0000000049e40370 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 0000000049e40480 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 0000000049e403e0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 0000000049e40320 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 0000000049e403b0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 0000000049e40390 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 0000000049e402e0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 0000000049e40440 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 0000000049e402d0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 0000000049e40310 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 0000000049e403c0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 0000000049e403f0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0xffffffffd2604190} .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 0000000049e40230 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 0000000049e40490 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 0000000049e403a0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 0000000049e402f0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 0000000049e40350 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 0000000049e40290 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0xffffffffd2603b90} .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 0000000049e402b0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 0000000049e403d0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 0000000049e40330 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 0000000049e40410 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 0000000049e40240 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 0000000049e401e0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 0000000049e40250 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 0000000049e404a0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0xffffffffd2603890} .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 0000000049e404b0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0xffffffffd2603890} .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 0000000049e40300 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 0000000049e40360 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 0000000049e402a0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 0000000049e402c0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 0000000049e40380 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 0000000049e40340 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 0000000049e40450 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 0000000049e40260 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 0000000049e40270 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 0000000049e40400 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 0000000049e401f0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 0000000049e40210 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 0000000049e40200 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 0000000049e40420 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 0000000049e40430 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 0000000049e40220 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 0000000049e40280 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\wininit.exe[552] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007772f18d 1 byte [62] .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 0000000049e40470 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0xffffffffd2604690} .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 0000000049e40460 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 0000000049e40370 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 0000000049e40480 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 0000000049e403e0 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 0000000049e40320 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 0000000049e403b0 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 0000000049e40390 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 0000000049e402e0 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 0000000049e40440 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 0000000049e402d0 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 0000000049e40310 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 0000000049e403c0 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 0000000049e403f0 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0xffffffffd2604190} .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 0000000049e40230 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 0000000049e40490 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 0000000049e403a0 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 0000000049e402f0 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 0000000049e40350 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 0000000049e40290 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0xffffffffd2603b90} .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 0000000049e402b0 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 0000000049e403d0 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 0000000049e40330 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 0000000049e40410 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 0000000049e40240 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 0000000049e401e0 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 0000000049e40250 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 0000000049e404a0 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0xffffffffd2603890} .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 0000000049e404b0 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0xffffffffd2603890} .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 0000000049e40300 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 0000000049e40360 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 0000000049e402a0 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 0000000049e402c0 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 0000000049e40380 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 0000000049e40340 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 0000000049e40450 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 0000000049e40260 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 0000000049e40270 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 0000000049e40400 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 0000000049e401f0 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 0000000049e40210 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 0000000049e40200 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 0000000049e40420 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 0000000049e40430 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 0000000049e40220 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 0000000049e40280 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007772f18d 1 byte [62] .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007772f18d 1 byte [62] .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0xffffffff88834690} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0xffffffff88834190} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0xffffffff88833b90} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0xffffffff88833890} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0xffffffff88833890} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[876] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007772f18d 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007772f18d 1 byte [62] .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\System32\svchost.exe[128] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007772f18d 1 byte [62] .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\svchost.exe[484] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007772f18d 1 byte [62] .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1348] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075aca315 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1380] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075aca315 1 byte [62] .text C:\Program Files\Avast\afwServ.exe[1496] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075aca315 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 0000000000210470 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0xffffffff889d4690} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 0000000000210460 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 0000000000210370 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 0000000000210480 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000002103e0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 0000000000210320 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000002103b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 0000000000210390 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000002102e0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 0000000000210440 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000002102d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 0000000000210310 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000002103c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000002103f0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0xffffffff889d4190} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 0000000000210230 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 0000000000210490 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000002103a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000002102f0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 0000000000210350 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 0000000000210290 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0xffffffff889d3b90} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000002102b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000002103d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 0000000000210330 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 0000000000210410 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 0000000000210240 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000002101e0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 0000000000210250 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000002104a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0xffffffff889d3890} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000002104b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0xffffffff889d3890} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 0000000000210300 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 0000000000210360 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000002102a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000002102c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 0000000000210380 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 0000000000210340 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 0000000000210450 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 0000000000210260 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 0000000000210270 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 0000000000210400 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000002101f0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 0000000000210210 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 0000000000210200 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 0000000000210420 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 0000000000210430 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 0000000000210220 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 0000000000210280 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1224] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075aca315 1 byte [62] .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000026075c .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000002603a4 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000260b14 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000260ecc .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000026163c .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000261284 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000002619f4 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007772f18d 1 byte [62] .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Windows\System32\svchost.exe[2388] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000010075c .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000001003a4 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0xffffffff88834690} .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000100b14 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000100ecc .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000010163c .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000101284 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0xffffffff88834190} .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0xffffffff88833b90} .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0xffffffff88833890} .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0xffffffff88833890} .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000001019f4 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Windows\system32\svchost.exe[2464] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000039075c .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000003903a4 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000390b14 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000390ecc .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000039163c .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000391284 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000003919f4 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Windows\System32\svchost.exe[2540] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 00000000003d075c .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000003d03a4 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 00000000003d0b14 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 00000000003d0ecc .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000003d163c .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 00000000003d1284 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000003d19f4 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Windows\System32\svchost.exe[2572] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000000c0470 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0xffffffff88884690} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000000c0460 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000000c0370 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000000c0480 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000000c03e0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000000c0320 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000000c03b0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000000c0390 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000000c02e0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000000c0440 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000000c02d0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000000c0310 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000000c03c0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000000c03f0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0xffffffff88884190} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000000c0230 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000000c0490 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000000c03a0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000000c02f0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000000c0350 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000000c0290 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0xffffffff88883b90} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000000c02b0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000000c03d0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000000c0330 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000000c0410 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000000c0240 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000000c01e0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000000c0250 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000000c04a0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0xffffffff88883890} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000000c04b0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0xffffffff88883890} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000000c0300 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000000c0360 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000000c02a0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000000c02c0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000000c0380 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000000c0340 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000000c0450 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000000c0260 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000000c0270 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000000c0400 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000000c01f0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000000c0210 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000000c0200 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000000c0420 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000000c0430 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000000c0220 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000000c0280 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000779efad0 5 bytes JMP 0000000000030600 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000779efb68 5 bytes JMP 0000000000030804 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcc0 5 bytes JMP 0000000000030c0c .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000779f0048 5 bytes JMP 0000000000030a08 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000779f1930 5 bytes JMP 0000000000030e10 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a0d2f6 5 bytes JMP 00000000000303fc .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a0eb2a 5 bytes JMP 00000000000301f8 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075aca315 1 byte [62] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000759c5181 5 bytes JMP 00000000000d1014 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000759c5254 5 bytes JMP 00000000000d0804 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000759c53d5 5 bytes JMP 00000000000d0a08 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000759c54c2 5 bytes JMP 00000000000d0c0c .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000759c55e2 5 bytes JMP 00000000000d0e10 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000759c567c 5 bytes JMP 00000000000d01f8 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000759c589f 5 bytes JMP 00000000000d03fc .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000759c5a22 5 bytes JMP 00000000000d0600 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075bbee21 5 bytes JMP 00000000000e01f8 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075bc392d 5 bytes JMP 00000000000e0a08 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075bc4994 5 bytes JMP 00000000000e03fc .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075bc81f5 5 bytes JMP 00000000000e0804 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2696] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075bc8f4c 5 bytes JMP 00000000000e0600 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 00000000003a075c .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000003a03a4 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0xffffffff88834690} .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 00000000003a0b14 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 00000000003a0ecc .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000003a163c .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 00000000003a1284 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0xffffffff88834190} .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0xffffffff88833b90} .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0xffffffff88833890} .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0xffffffff88833890} .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000003a19f4 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000035075c .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000003503a4 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 0000000000070470 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0xffffffff88834690} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 0000000000070460 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000350b14 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000350ecc .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 0000000000070370 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 0000000000070480 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000035163c .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 0000000000070320 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000000703b0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 0000000000070390 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000000702e0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 0000000000070440 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000000702d0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 0000000000070310 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000000703c0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000351284 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000000703f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0xffffffff88834190} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 0000000000070230 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 0000000000070490 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000000703a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000000702f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 0000000000070350 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 0000000000070290 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0xffffffff88833b90} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000000702b0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000000703d0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 0000000000070330 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 0000000000070410 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 0000000000070240 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000000701e0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 0000000000070250 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000000704a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0xffffffff88833890} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000000704b0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0xffffffff88833890} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 0000000000070300 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 0000000000070360 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000000702a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000000702c0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 0000000000070380 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 0000000000070340 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 0000000000070450 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 0000000000070260 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 0000000000070270 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000003519f4 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000000701f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 0000000000070210 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 0000000000070200 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 0000000000070420 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 0000000000070430 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 0000000000070220 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 0000000000070280 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2788] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 00000000003a075c .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000003a03a4 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 00000000003a0b14 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 00000000003a0ecc .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000003a163c .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 00000000003a1284 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000003a19f4 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Windows\system32\taskhost.exe[3600] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000010075c .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000001003a4 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000100b14 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000100ecc .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000010163c .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000101284 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000001019f4 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Windows\system32\taskeng.exe[3652] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 00000000002a075c .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000002a03a4 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 00000000002a0b14 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 00000000002a0ecc .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000002a163c .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 00000000002a1284 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000002a19f4 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Windows\system32\Dwm.exe[3676] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 00000000002c075c .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000002c03a4 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 00000000002c0b14 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 00000000002c0ecc .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000002c163c .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 00000000002c1284 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000002c19f4 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\Explorer.EXE[3760] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007772f18d 1 byte [62] .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Windows\Explorer.EXE[3760] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000020075c .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000002003a4 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000200b14 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000200ecc .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000020163c .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000201284 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000002019f4 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Windows\system32\taskeng.exe[3820] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000026075c .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000002603a4 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000260b14 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000260ecc .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000026163c .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000261284 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000002619f4 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3912] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000017075c .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000001703a4 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000170b14 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000170ecc .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000017163c .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000171284 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000001719f4 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Windows\system32\wbem\wmiprvse.exe[4080] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000034075c .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000003403a4 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000340b14 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000340ecc .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000034163c .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000341284 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000003419f4 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007772f18d 1 byte [62] .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Program Files\Elantech\ETDCtrl.exe[3308] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000779efad0 5 bytes JMP 0000000000030600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000779efb68 5 bytes JMP 0000000000030804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcc0 5 bytes JMP 0000000000030c0c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000779f0048 5 bytes JMP 0000000000030a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000779f1930 5 bytes JMP 0000000000030e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a0d2f6 5 bytes JMP 00000000000303fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a0eb2a 5 bytes JMP 00000000000301f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075aca315 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075bbee21 5 bytes JMP 00000000002401f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075bc392d 5 bytes JMP 0000000000240a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075bc4994 5 bytes JMP 00000000002403fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075bc81f5 5 bytes JMP 0000000000240804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075bc8f4c 5 bytes JMP 0000000000240600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000759c5181 5 bytes JMP 0000000000251014 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000759c5254 5 bytes JMP 0000000000250804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000759c53d5 5 bytes JMP 0000000000250a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000759c54c2 5 bytes JMP 0000000000250c0c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000759c55e2 5 bytes JMP 0000000000250e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000759c567c 5 bytes JMP 00000000002501f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000759c589f 5 bytes JMP 00000000002503fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[3060] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000759c5a22 5 bytes JMP 0000000000250600 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 00000000001d075c .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000001d03a4 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 00000000001d0b14 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 00000000001d0ecc .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000001d163c .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 00000000001d1284 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000001d19f4 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Windows\system32\wbem\wmiprvse.exe[3352] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Program Files\Avast\AvastUI.exe[3536] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075aca315 1 byte [62] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 00000000000a075c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000000a03a4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 0000000000070470 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0xffffffff88834690} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 0000000000070460 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 00000000000a0b14 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 00000000000a0ecc .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 0000000000070370 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 0000000000070480 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000000a163c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 0000000000070320 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000000703b0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 0000000000070390 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000000702e0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 0000000000070440 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000000702d0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 0000000000070310 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000000703c0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 00000000000a1284 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000000703f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0xffffffff88834190} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 0000000000070230 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 0000000000070490 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000000703a0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000000702f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 0000000000070350 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 0000000000070290 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0xffffffff88833b90} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000000702b0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000000703d0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 0000000000070330 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 0000000000070410 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 0000000000070240 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000000701e0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 0000000000070250 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000000704a0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0xffffffff88833890} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000000704b0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0xffffffff88833890} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 0000000000070300 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 0000000000070360 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000000702a0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000000702c0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 0000000000070380 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 0000000000070340 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 0000000000070450 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 0000000000070260 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 0000000000070270 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000000a19f4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000000701f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 0000000000070210 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 0000000000070200 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 0000000000070420 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 0000000000070430 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 0000000000070220 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 0000000000070280 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007772f18d 1 byte [62] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3148] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000779efad0 5 bytes JMP 0000000000030600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000779efb68 5 bytes JMP 0000000000030804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcc0 5 bytes JMP 0000000000030c0c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000779f0048 5 bytes JMP 0000000000030a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000779f1930 5 bytes JMP 0000000000030e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a0d2f6 5 bytes JMP 00000000000303fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a0eb2a 5 bytes JMP 00000000000301f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075aca315 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075bbee21 5 bytes JMP 00000000002401f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075bc392d 5 bytes JMP 0000000000240a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075bc4994 5 bytes JMP 00000000002403fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075bc81f5 5 bytes JMP 0000000000240804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075bc8f4c 5 bytes JMP 0000000000240600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000759c5181 5 bytes JMP 0000000000251014 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000759c5254 5 bytes JMP 0000000000250804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000759c53d5 5 bytes JMP 0000000000250a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000759c54c2 5 bytes JMP 0000000000250c0c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000759c55e2 5 bytes JMP 0000000000250e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000759c567c 5 bytes JMP 00000000002501f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000759c589f 5 bytes JMP 00000000002503fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3320] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000759c5a22 5 bytes JMP 0000000000250600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000779efad0 5 bytes JMP 0000000000030600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000779efb68 5 bytes JMP 0000000000030804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcc0 5 bytes JMP 0000000000030c0c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000779f0048 5 bytes JMP 0000000000030a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000779f1930 5 bytes JMP 0000000000030e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a0d2f6 5 bytes JMP 00000000000303fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a0eb2a 5 bytes JMP 00000000000301f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075aca315 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075bbee21 5 bytes JMP 00000000002401f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075bc392d 5 bytes JMP 0000000000240a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075bc4994 5 bytes JMP 00000000002403fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075bc81f5 5 bytes JMP 0000000000240804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075bc8f4c 5 bytes JMP 0000000000240600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000759c5181 5 bytes JMP 0000000000251014 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000759c5254 5 bytes JMP 0000000000250804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000759c53d5 5 bytes JMP 0000000000250a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000759c54c2 5 bytes JMP 0000000000250c0c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000759c55e2 5 bytes JMP 0000000000250e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000759c567c 5 bytes JMP 00000000002501f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000759c589f 5 bytes JMP 00000000002503fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3300] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000759c5a22 5 bytes JMP 0000000000250600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000779efad0 5 bytes JMP 0000000000030600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000779efb68 5 bytes JMP 0000000000030804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcc0 5 bytes JMP 0000000000030c0c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000779f0048 5 bytes JMP 0000000000030a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000779f1930 5 bytes JMP 0000000000030e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a0d2f6 5 bytes JMP 00000000000303fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a0eb2a 5 bytes JMP 00000000000301f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075aca315 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075bbee21 5 bytes JMP 00000000002401f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075bc392d 5 bytes JMP 0000000000240a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075bc4994 5 bytes JMP 00000000002403fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075bc81f5 5 bytes JMP 0000000000240804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075bc8f4c 5 bytes JMP 0000000000240600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000759c5181 5 bytes JMP 0000000000251014 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000759c5254 5 bytes JMP 0000000000250804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000759c53d5 5 bytes JMP 0000000000250a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000759c54c2 5 bytes JMP 0000000000250c0c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000759c55e2 5 bytes JMP 0000000000250e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000759c567c 5 bytes JMP 00000000002501f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000759c589f 5 bytes JMP 00000000002503fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1296] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000759c5a22 5 bytes JMP 0000000000250600 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000018075c .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000001803a4 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000180b14 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000180ecc .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000018163c .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000181284 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000001819f4 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Windows\system32\SearchIndexer.exe[1256] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000017075c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000001703a4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000170b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000170ecc .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000017163c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000171284 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000001719f4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 00000000002a075c .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000002a03a4 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 00000000002a0b14 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 00000000002a0ecc .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000002a163c .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 00000000002a1284 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000002a19f4 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Windows\System32\svchost.exe[168] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000017075c .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000001703a4 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000170b14 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000170ecc .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000017163c .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000171284 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000001719f4 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Windows\system32\svchost.exe[4528] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000017075c .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000001703a4 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000170b14 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000170ecc .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000017163c .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000171284 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000001719f4 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007772f18d 1 byte [62] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 00000000001b075c .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000001b03a4 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 00000000001b0b14 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 00000000001b0ecc .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000001b163c .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 00000000001b1284 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000001b19f4 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Windows\System32\svchost.exe[4780] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Program Files (x86)\ASUS\ControlDeck\ControlDeck.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000779efad0 5 bytes JMP 0000000000030600 .text C:\Program Files (x86)\ASUS\ControlDeck\ControlDeck.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000779efb68 5 bytes JMP 0000000000030804 .text C:\Program Files (x86)\ASUS\ControlDeck\ControlDeck.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcc0 5 bytes JMP 0000000000030c0c .text C:\Program Files (x86)\ASUS\ControlDeck\ControlDeck.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000779f0048 5 bytes JMP 0000000000030a08 .text C:\Program Files (x86)\ASUS\ControlDeck\ControlDeck.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000779f1930 5 bytes JMP 0000000000030e10 .text C:\Program Files (x86)\ASUS\ControlDeck\ControlDeck.exe[4340] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a0d2f6 5 bytes JMP 00000000000303fc .text C:\Program Files (x86)\ASUS\ControlDeck\ControlDeck.exe[4340] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a0eb2a 5 bytes JMP 00000000000301f8 .text C:\Program Files (x86)\ASUS\ControlDeck\ControlDeck.exe[4340] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075aca315 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000027075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000002703a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000270b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000270ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000027163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000271284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000002719f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007772f18d 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4728] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000026075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000002603a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000260b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000260ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007783bfb0 14 bytes {MOV RAX, 0x7fefac172b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000026163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000261284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000002619f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007772f18d 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\system32\USER32.dll!UnhookWinEvent 00000000775d84a0 5 bytes JMP 000000000049075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 00000000775dd390 5 bytes JMP 0000000000491284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000775df804 5 bytes JMP 0000000000490ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000775e4ccc 5 bytes JMP 00000000004903a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4416] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000775f8bd0 5 bytes JMP 0000000000490b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000034075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000003403a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000340b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000340ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000034163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000341284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000003419f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007772f18d 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4312] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000026075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000002603a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000260b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000260ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000026163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000261284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000002619f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4260] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000044075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000004403a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007783be00 7 bytes [48, B8, 60, 04, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007783be08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000440b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000440ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007783bf70 7 bytes [48, B8, E0, 04, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007783bf78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 7 bytes JMP 00000000779a0370 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007783bf98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007783bfa0 7 bytes [48, B8, C0, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007783bfa8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007783bfb0 7 bytes [48, B8, 40, 03, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007783bfb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007783bfd0 7 bytes [48, B8, B0, 03, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007783bfd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000044163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007783c020 7 bytes [48, B8, 50, 05, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007783c028 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007783c030 7 bytes [48, B8, 20, 09, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007783c038 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007783c060 7 bytes [48, B8, 40, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007783c068 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007783c100 7 bytes [48, B8, 80, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007783c108 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000441284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007783c280 7 bytes [48, B8, C0, 05, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007783c288 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007783ccf0 7 bytes [48, B8, 00, 09, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007783ccf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 7 bytes JMP 00000000779a0380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007783cd48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007783ce90 7 bytes [48, B8, A0, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007783ce98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000004419f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4168] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000016075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000001603a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007783be00 7 bytes [48, B8, 60, 04, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007783be08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000160b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000160ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007783bf70 7 bytes [48, B8, E0, 04, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007783bf78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 7 bytes JMP 00000000779a0370 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007783bf98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007783bfa0 7 bytes [48, B8, C0, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007783bfa8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007783bfb0 7 bytes [48, B8, 40, 03, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007783bfb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007783bfd0 7 bytes [48, B8, B0, 03, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007783bfd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000016163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007783c020 7 bytes [48, B8, 50, 05, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007783c028 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007783c030 7 bytes [48, B8, 20, 09, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007783c038 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007783c060 7 bytes [48, B8, 40, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007783c068 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007783c100 7 bytes [48, B8, 80, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007783c108 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000161284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007783c280 7 bytes [48, B8, C0, 05, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007783c288 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007783ccf0 7 bytes [48, B8, 00, 09, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007783ccf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 7 bytes JMP 00000000779a0380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007783cd48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007783ce90 7 bytes [48, B8, A0, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007783ce98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000001619f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000052075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000005203a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007783be00 7 bytes [48, B8, 60, 04, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007783be08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000520b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000520ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007783bf70 7 bytes [48, B8, E0, 04, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007783bf78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 7 bytes JMP 00000000779a0370 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007783bf98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007783bfa0 7 bytes [48, B8, C0, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007783bfa8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007783bfb0 7 bytes [48, B8, 40, 03, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007783bfb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007783bfd0 7 bytes [48, B8, B0, 03, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007783bfd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000052163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007783c020 7 bytes [48, B8, 50, 05, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007783c028 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007783c030 7 bytes [48, B8, 20, 09, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007783c038 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007783c060 7 bytes [48, B8, 40, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007783c068 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007783c100 7 bytes [48, B8, 80, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007783c108 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000521284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007783c280 7 bytes [48, B8, C0, 05, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007783c288 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007783ccf0 7 bytes [48, B8, 00, 09, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007783ccf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 7 bytes JMP 00000000779a0380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007783cd48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007783ce90 7 bytes [48, B8, A0, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007783ce98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000005219f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000052075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000005203a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007783be00 7 bytes [48, B8, 60, 04, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007783be08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000520b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000520ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007783bf70 7 bytes [48, B8, E0, 04, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007783bf78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 7 bytes JMP 00000000779a0370 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007783bf98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007783bfa0 7 bytes [48, B8, C0, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007783bfa8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007783bfb0 7 bytes [48, B8, 40, 03, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007783bfb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007783bfd0 7 bytes [48, B8, B0, 03, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007783bfd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000052163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007783c020 7 bytes [48, B8, 50, 05, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007783c028 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007783c030 7 bytes [48, B8, 20, 09, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007783c038 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007783c060 7 bytes [48, B8, 40, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007783c068 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007783c100 7 bytes [48, B8, 80, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007783c108 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000521284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007783c280 7 bytes [48, B8, C0, 05, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007783c288 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007783ccf0 7 bytes [48, B8, 00, 09, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007783ccf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 7 bytes JMP 00000000779a0380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007783cd48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007783ce90 7 bytes [48, B8, A0, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007783ce98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000005219f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000036075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000003603a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000000a0470 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0xffffffff88864690} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007783be00 7 bytes [48, B8, 60, 04, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007783be08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000000a0460 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000360b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000360ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007783bf70 7 bytes [48, B8, E0, 04, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007783bf78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 7 bytes JMP 00000000000a0370 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007783bf98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007783bfa0 7 bytes [48, B8, C0, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007783bfa8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007783bfb0 7 bytes [48, B8, 40, 03, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007783bfb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007783bfd0 7 bytes [48, B8, B0, 03, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007783bfd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000000a0480 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000036163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007783c020 7 bytes [48, B8, 50, 05, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007783c028 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007783c030 7 bytes [48, B8, 20, 09, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007783c038 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007783c060 7 bytes [48, B8, 40, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007783c068 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000000a0320 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000000a03b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000000a0390 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007783c100 7 bytes [48, B8, 80, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007783c108 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000000a02e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000000a0440 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000000a02d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000000a0310 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000000a03c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000361284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000000a03f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0xffffffff88864190} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007783c280 7 bytes [48, B8, C0, 05, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007783c288 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000000a0230 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000000a0490 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000000a03a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000000a02f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000000a0350 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000000a0290 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0xffffffff88863b90} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000000a02b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000000a03d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000000a0330 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000000a0410 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000000a0240 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000000a01e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000000a0250 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000000a04a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0xffffffff88863890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000000a04b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0xffffffff88863890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000000a0300 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000000a0360 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000000a02a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007783ccf0 7 bytes [48, B8, 00, 09, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007783ccf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000000a02c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 7 bytes JMP 00000000000a0380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007783cd48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000000a0340 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007783ce90 7 bytes [48, B8, A0, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007783ce98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000000a0450 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000000a0260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000000a0270 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000003619f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000000a01f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000000a0210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000000a0200 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000000a0420 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000000a0430 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000000a0220 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000000a0280 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 00000000000a075c .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000000a03a4 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 00000000000a0b14 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 00000000000a0ecc .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000000a163c .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 00000000000a1284 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000000a19f4 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007772f18d 1 byte [62] .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Windows\System32\StikyNot.exe[4332] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 000000000022075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000002203a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000000a0470 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0xffffffff88864690} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007783be00 7 bytes [48, B8, 60, 04, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007783be08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000000a0460 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 0000000000220b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 0000000000220ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007783bf70 7 bytes [48, B8, E0, 04, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007783bf78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 7 bytes JMP 00000000000a0370 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007783bf98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007783bfa0 7 bytes [48, B8, C0, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007783bfa8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007783bfb0 7 bytes [48, B8, 40, 03, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007783bfb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007783bfd0 7 bytes [48, B8, B0, 03, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007783bfd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000000a0480 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 000000000022163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007783c020 7 bytes [48, B8, 50, 05, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007783c028 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007783c030 7 bytes [48, B8, 20, 09, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007783c038 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007783c060 7 bytes [48, B8, 40, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007783c068 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000000a0320 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000000a03b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000000a0390 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007783c100 7 bytes [48, B8, 80, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007783c108 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000000a02e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000000a0440 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000000a02d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000000a0310 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000000a03c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 0000000000221284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000000a03f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0xffffffff88864190} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007783c280 7 bytes [48, B8, C0, 05, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007783c288 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000000a0230 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000000a0490 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000000a03a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000000a02f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000000a0350 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000000a0290 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0xffffffff88863b90} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000000a02b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000000a03d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000000a0330 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000000a0410 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000000a0240 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000000a01e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000000a0250 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000000a04a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0xffffffff88863890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000000a04b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0xffffffff88863890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000000a0300 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000000a0360 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000000a02a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007783ccf0 7 bytes [48, B8, 00, 09, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007783ccf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000000a02c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 7 bytes JMP 00000000000a0380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007783cd48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000000a0340 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007783ce90 7 bytes [48, B8, A0, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007783ce98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000000a0450 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000000a0260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000000a0270 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000002219f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000000a01f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000000a0210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000000a0200 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000000a0420 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000000a0430 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000000a0220 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000000a0280 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077812280 5 bytes JMP 00000000001f075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077816130 5 bytes JMP 00000000001f03a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000000a0470 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0xffffffff88864690} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007783be00 7 bytes [48, B8, 60, 04, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007783be08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000000a0460 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007783beb0 5 bytes JMP 00000000001f0b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007783bf10 5 bytes JMP 00000000001f0ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007783bf70 7 bytes [48, B8, E0, 04, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007783bf78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 7 bytes JMP 00000000000a0370 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007783bf98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007783bfa0 7 bytes [48, B8, C0, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007783bfa8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007783bfb0 7 bytes [48, B8, 40, 03, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007783bfb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007783bfd0 7 bytes [48, B8, B0, 03, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007783bfd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000000a0480 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000001f163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007783c020 7 bytes [48, B8, 50, 05, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007783c028 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007783c030 7 bytes [48, B8, 20, 09, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007783c038 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007783c060 7 bytes [48, B8, 40, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007783c068 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000000a0320 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000000a03b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000000a0390 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007783c100 7 bytes [48, B8, 80, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007783c108 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000000a02e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000000a0440 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000000a02d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000000a0310 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000000a03c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007783c230 5 bytes JMP 00000000001f1284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000000a03f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0xffffffff88864190} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007783c280 7 bytes [48, B8, C0, 05, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007783c288 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000000a0230 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000000a0490 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000000a03a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000000a02f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000000a0350 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000000a0290 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0xffffffff88863b90} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000000a02b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000000a03d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000000a0330 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000000a0410 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000000a0240 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000000a01e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000000a0250 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000000a04a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0xffffffff88863890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000000a04b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0xffffffff88863890} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000000a0300 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000000a0360 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000000a02a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007783ccf0 7 bytes [48, B8, 00, 09, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007783ccf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000000a02c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 7 bytes JMP 00000000000a0380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007783cd48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000000a0340 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007783ce90 7 bytes [48, B8, A0, 06, C1, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007783ce98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000000a0450 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000000a0260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000000a0270 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000001f19f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000000a01f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000000a0210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000000a0200 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000000a0420 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000000a0430 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000000a0220 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000000a0280 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff136e00 5 bytes JMP 000007fe7f151dac .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff136f2c 5 bytes JMP 000007fe7f150ecc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff137220 5 bytes JMP 000007fe7f151284 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff13739c 5 bytes JMP 000007fe7f15163c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff137538 5 bytes JMP 000007fe7f1519f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1375e8 5 bytes JMP 000007fe7f1503a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff13790c 5 bytes JMP 000007fe7f15075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff137ab4 5 bytes JMP 000007fe7f150b14 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text C:\Windows\system32\AUDIODG.EXE[900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007783bde0 1 byte JMP 00000000779a0470 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 000000007783bde2 3 bytes {JMP 0x164690} .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007783be30 5 bytes JMP 00000000779a0460 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007783bf90 5 bytes JMP 00000000779a0370 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007783bfe0 5 bytes JMP 00000000779a0480 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007783bff0 5 bytes JMP 00000000779a03e0 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007783c0a0 5 bytes JMP 00000000779a0320 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007783c0d0 5 bytes JMP 00000000779a03b0 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007783c0f0 5 bytes JMP 00000000779a0390 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007783c130 5 bytes JMP 00000000779a02e0 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007783c180 5 bytes JMP 00000000779a0440 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007783c1b0 5 bytes JMP 00000000779a02d0 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007783c1d0 5 bytes JMP 00000000779a0310 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007783c210 5 bytes JMP 00000000779a03c0 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007783c260 1 byte JMP 00000000779a03f0 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 000000007783c262 3 bytes {JMP 0x164190} .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007783c3c0 5 bytes JMP 00000000779a0230 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007783c580 5 bytes JMP 00000000779a0490 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007783c5b0 5 bytes JMP 00000000779a03a0 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007783c690 5 bytes JMP 00000000779a02f0 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007783c6a0 5 bytes JMP 00000000779a0350 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007783c700 1 byte JMP 00000000779a0290 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 000000007783c702 3 bytes {JMP 0x163b90} .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007783c790 5 bytes JMP 00000000779a02b0 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007783c7b0 5 bytes JMP 00000000779a03d0 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007783c7c0 5 bytes JMP 00000000779a0330 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007783c830 5 bytes JMP 00000000779a0410 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007783c860 5 bytes JMP 00000000779a0240 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007783cb20 5 bytes JMP 00000000779a01e0 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007783cbe0 5 bytes JMP 00000000779a0250 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007783cc10 1 byte JMP 00000000779a04a0 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 000000007783cc12 3 bytes {JMP 0x163890} .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007783cc20 1 byte JMP 00000000779a04b0 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 000000007783cc22 3 bytes {JMP 0x163890} .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007783cc50 5 bytes JMP 00000000779a0300 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007783cc60 5 bytes JMP 00000000779a0360 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007783ccc0 5 bytes JMP 00000000779a02a0 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007783cd10 5 bytes JMP 00000000779a02c0 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007783cd40 5 bytes JMP 00000000779a0380 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007783cd50 5 bytes JMP 00000000779a0340 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007783d040 5 bytes JMP 00000000779a0450 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007783d240 5 bytes JMP 00000000779a0260 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007783d250 5 bytes JMP 00000000779a0270 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007783d260 5 bytes JMP 00000000779a0400 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007783d420 5 bytes JMP 00000000779a01f0 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007783d430 5 bytes JMP 00000000779a0210 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007783d4a0 5 bytes JMP 00000000779a0200 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007783d500 5 bytes JMP 00000000779a0420 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007783d510 5 bytes JMP 00000000779a0430 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007783d520 5 bytes JMP 00000000779a0220 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007783d600 5 bytes JMP 00000000779a0280 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000779efad0 5 bytes JMP 0000000000030600 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000779efb68 5 bytes JMP 0000000000030804 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcc0 5 bytes JMP 0000000000030c0c .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000779f0048 5 bytes JMP 0000000000030a08 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000779f1930 5 bytes JMP 0000000000030e10 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a0d2f6 5 bytes JMP 00000000000303fc .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a0eb2a 5 bytes JMP 00000000000301f8 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075aca315 1 byte [62] .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000759c5181 5 bytes JMP 00000000001d1014 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000759c5254 5 bytes JMP 00000000001d0804 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000759c53d5 5 bytes JMP 00000000001d0a08 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000759c54c2 5 bytes JMP 00000000001d0c0c .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000759c55e2 3 bytes JMP 00000000001d0e10 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 4 00000000759c55e6 1 byte [8A] .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000759c567c 5 bytes JMP 00000000001d01f8 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000759c589f 5 bytes JMP 00000000001d03fc .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000759c5a22 5 bytes JMP 00000000001d0600 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075bbee21 5 bytes JMP 00000000001e01f8 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075bc392d 5 bytes JMP 00000000001e0a08 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075bc4994 5 bytes JMP 00000000001e03fc .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075bc81f5 5 bytes JMP 00000000001e0804 .text D:\7. PROGRAMY\LOGI\b1gj3q7w.exe[3076] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075bc8f4c 5 bytes JMP 00000000001e0600 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800104af1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800104acc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800104b69c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800104ba98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800104b8f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee4329010] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee4328874] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee4328ff8] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee4329244] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5076] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee32e2348] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee4329010] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee4328874] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee4328ff8] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee4329244] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3560] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee32e2348] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee4329010] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee4328874] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee4328ff8] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee4329244] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4572] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee32e2348] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee4329010] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee4328874] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee4328ff8] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee4329244] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3056] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee32e2348] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee4329010] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee4328874] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee4328ff8] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee4329244] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4552] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee32e2348] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee4329010] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee4328874] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee4328ff8] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee4329244] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[800] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee32e2348] C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\chrome_child.dll ---- Devices - GMER 2.2 ---- Device \Driver\JMCR \Device\Scsi\JMCR3Port3Path0TargetffLun0 fffffa8008e1c2c0 Device \Driver\JMCR \Device\Scsi\JMCR1 fffffa8008e1c2c0 Device \Driver\JMCR \Device\Scsi\JMCR2Port2Path0TargetffLun0 fffffa8008e1c2c0 Device \Driver\JMCR \Device\Scsi\JMCR2 fffffa8008e1c2c0 Device \Driver\JMCR \Device\Scsi\JMCR3 fffffa8008e1c2c0 Device \Driver\JMCR \Device\Scsi\JMCR4Port4Path0TargetffLun0 fffffa8008e1c2c0 Device \Driver\JMCR \Device\Scsi\JMCR4 fffffa8008e1c2c0 Device \Driver\JMCR \Device\Scsi\JMCR1Port1Path0TargetffLun0 fffffa8008e1c2c0 Device \Driver\almavd1j \Device\Scsi\almavd1j1 fffffa8008e372c0 Device \FileSystem\Ntfs \Ntfs fffffa80061d22c0 Device \FileSystem\fastfat \Fat fffffa8008eaa2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{2D6D2239-AA0B-4BAE-AD2B-07A1E8E17337} fffffa8008c102c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{9ACC4012-5376-4061-8210-D9ABE9A2BCF1} fffffa8008c102c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8008dbd2c0 Device \Driver\iaStorA \Device\RaidPort0 fffffa80061ce2c0 Device \Driver\cdrom \Device\CdRom0 fffffa8008be62c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{93438653-A06C-451C-A3CE-260FEB8B08A5} fffffa8008c102c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8008dbd2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8008dbd2c0 Device \Driver\iaStorA \Device\00000082 fffffa80061ce2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8008c102c0 Device \Driver\iaStorA \Device\ScsiPort0 fffffa80061ce2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8008dbd2c0 Device \Driver\JMCR \Device\ScsiPort1 fffffa8008e1c2c0 Device \Driver\iaStorA \Device\00000083 fffffa80061ce2c0 Device \Driver\JMCR \Device\ScsiPort2 fffffa8008e1c2c0 Device \Driver\JMCR \Device\ScsiPort3 fffffa8008e1c2c0 Device \Driver\JMCR \Device\ScsiPort4 fffffa8008e1c2c0 Device \Driver\almavd1j \Device\ScsiPort5 fffffa8008e372c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys iaStorF.sys ACPI.sys >>UNKNOWN [0xfffffa80061ce2c0]<< sptd.sys storport.sys hal.dll iaStorA.sys fffffa80061ce2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80067e5060] fffffa80067e5060 Trace 3 CLASSPNP.SYS[fffff88001a5043f] -> nt!IofCallDriver -> [0xfffffa8006672a30] fffffa8006672a30 Trace 5 iaStorF.sys[fffff88001cb8f84] -> nt!IofCallDriver -> [0xfffffa800545b040] fffffa800545b040 Trace 7 ACPI.sys[fffff8800119a7a1] -> nt!IofCallDriver -> \Device\00000082[0xfffffa800545a9c0] fffffa800545a9c0 Trace \Driver\iaStorA[0xfffffa80063522e0] -> IRP_MJ_CREATE -> 0xfffffa80061ce2c0 fffffa80061ce2c0 ---- Modules - GMER 2.2 ---- Module \SystemRoot\System32\Drivers\almavd1j.SYS fffff88005e00000-fffff88005e4c000 (311296 bytes) ---- Threads - GMER 2.2 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3272:3424] 000007fefdc4fb40 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3272:2344] 000007fefb962be0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3272:736] 000007fef2b98a28 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3272:2560] 000007fef2b98a28 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3272:2704] 000007fef2b98a28 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3272:756] 000007fef8ba5124 Thread C:\Windows\System32\svchost.exe [4780:5024] 000007fef2a09688 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\000272b10f18 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\000272b10f18@e4ec10f43c66 0x2E 0x2B 0x00 0x8A ... Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\74f06dbcec5f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC2 0x7B 0x3C 0xC5 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0xA9 0x22 0xDA ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xEA 0xF2 0x64 0xB1 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7C 0x57 0x62 0xD9 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0746A21A-96E3-41F5-A1BB-D0B9C86DF107}\Connection@Name isatap.{93438653-A06C-451C-A3CE-260FEB8B08A5} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{0746A21A-96E3-41F5-A1BB-D0B9C86DF107}?\Device\{4F61CBDC-E32C-4DFD-B889-5FCF6F42AFFB}?\Device\{95BAA359-6464-4A4E-8EE1-1D6437628B3C}?\Device\{F251704F-1B97-4361-B51A-479B2594130B}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{0746A21A-96E3-41F5-A1BB-D0B9C86DF107}"?"{4F61CBDC-E32C-4DFD-B889-5FCF6F42AFFB}"?"{95BAA359-6464-4A4E-8EE1-1D6437628B3C}"?"{F251704F-1B97-4361-B51A-479B2594130B}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{0746A21A-96E3-41F5-A1BB-D0B9C86DF107}?\Device\TCPIP6TUNNEL_{4F61CBDC-E32C-4DFD-B889-5FCF6F42AFFB}?\Device\TCPIP6TUNNEL_{95BAA359-6464-4A4E-8EE1-1D6437628B3C}?\Device\TCPIP6TUNNEL_{F251704F-1B97-4361-B51A-479B2594130B}? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 6 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@ImagePath \??\C:\Windows\system32\drivers\aswFW.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@DisplayName avast! TDI Firewall Driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Description avast! TDI Firewall Driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Tag 15 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters@ProgramFolder \DosDevices\C:\Program Files\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Tag 8 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 643 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 8482611 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@Enabled 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 14 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ImagePath "C:\Program Files\Avast\afwServ.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@DisplayName avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Description Implements main functionality for avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272b10f18 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272b10f18@e4ec10f43c66 0x54 0xA6 0x42 0xF7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272b10f18@2c5a05368b22 0x8C 0x4B 0x1F 0xDE ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dbcec5f Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{0746A21A-96E3-41F5-A1BB-D0B9C86DF107}@InterfaceName isatap.{93438653-A06C-451C-A3CE-260FEB8B08A5} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{0746A21A-96E3-41F5-A1BB-D0B9C86DF107}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{2D6D2239-AA0B-4BAE-AD2B-07A1E8E17337}@LeaseObtainedTime 1489426034 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{2D6D2239-AA0B-4BAE-AD2B-07A1E8E17337}@T1 1489426064 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{2D6D2239-AA0B-4BAE-AD2B-07A1E8E17337}@T2 1489426086 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{2D6D2239-AA0B-4BAE-AD2B-07A1E8E17337}@LeaseTerminatesTime 1489426094 Reg HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\Interfaces\{2d6d2239-aa0b-4bae-ad2b-07a1e8e17337}@Dhcpv6MaxLeaseExpireTime 1489426110 Reg HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\Interfaces\{2d6d2239-aa0b-4bae-ad2b-07a1e8e17337}@Dhcpv6LeaseObtainedTime 1489426050 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Tag 6 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet003\services\aswFW@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswFW@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswFW@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswFW@ImagePath \??\C:\Windows\system32\drivers\aswFW.sys Reg HKLM\SYSTEM\ControlSet003\services\aswFW@DisplayName avast! TDI Firewall Driver Reg HKLM\SYSTEM\ControlSet003\services\aswFW@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet003\services\aswFW@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet003\services\aswFW@Description avast! TDI Firewall Driver Reg HKLM\SYSTEM\ControlSet003\services\aswFW@Tag 15 Reg HKLM\SYSTEM\ControlSet003\services\aswFW\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswFW\Parameters@ProgramFolder \DosDevices\C:\Program Files\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswFW\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswKbd@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswKbd@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\ControlSet003\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\ControlSet003\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\ControlSet003\services\aswKbd@Tag 8 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet003\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet003\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters@BootCounter 643 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters@TickCounter 8482611 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet003\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@Enabled 1 Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Tag 14 Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@Start 3 Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@ImagePath "C:\Program Files\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@Type 32 Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@Start 2 Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@ImagePath "C:\Program Files\Avast\afwServ.exe" Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@DisplayName avast! Firewall Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@WOW64 1 Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet003\services\avast! Firewall@Description Implements main functionality for avast! Firewall Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\000272b10f18 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\000272b10f18@e4ec10f43c66 0x54 0xA6 0x42 0xF7 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\000272b10f18@2c5a05368b22 0x8C 0x4B 0x1F 0xDE ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\74f06dbcec5f (not active ControlSet) ---- EOF - GMER 2.2 ----