GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-04-03 14:33:12 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-6 WDC_WD10EZEX-22MFCA0 rev.01.01A01 931,51GB Running: yodw66se.exe; Driver: C:\Users\Home\AppData\Local\Temp\pwddapow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007768be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007768bef0 8 bytes JMP 000000006fff1140 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768bff0 8 bytes JMP 000000006fff0ed8 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007768c060 8 bytes JMP 000000006fff1060 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768c0a0 8 bytes JMP 000000006fff0ff0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007768c140 8 bytes JMP 000000006fff1098 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768c1b0 8 bytes JMP 000000006fff0d18 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768c1d0 8 bytes JMP 000000006fff0fb8 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768c210 8 bytes JMP 000000006fff0df8 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768c260 8 bytes JMP 000000006fff0e30 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007768c280 8 bytes JMP 000000006fff1028 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007768c470 8 bytes JMP 000000006fff11b0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007768c480 8 bytes JMP 000000006fff0ca8 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768c580 8 bytes JMP 000000006fff0c70 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007768c650 8 bytes JMP 000000006fff0f10 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007768c690 8 bytes JMP 000000006fff0d50 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007768c700 8 bytes JMP 000000006fff0ce0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007768c730 1 byte JMP 000000006fff0dc0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort + 2 000000007768c732 6 bytes {JMP 0xfffffffff8964690} .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007768c790 8 bytes JMP 000000006fff0d88 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007768c7a0 8 bytes JMP 000000006fff10d0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007768c7b0 8 bytes JMP 000000006fff1178 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007768cb20 8 bytes JMP 000000006fff0f48 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007768cbb0 8 bytes JMP 000000006fff1108 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007768d420 8 bytes JMP 000000006fff0f80 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007768d4a0 8 bytes JMP 000000006fff0e68 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007768d520 8 bytes JMP 000000006fff0ea0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007768be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007768bef0 8 bytes JMP 000000006fff1140 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768bff0 8 bytes JMP 000000006fff0ed8 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007768c060 8 bytes JMP 000000006fff1060 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768c0a0 8 bytes JMP 000000006fff0ff0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007768c140 8 bytes JMP 000000006fff1098 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768c1b0 8 bytes JMP 000000006fff0d18 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768c1d0 8 bytes JMP 000000006fff0fb8 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768c210 8 bytes JMP 000000006fff0df8 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768c260 8 bytes JMP 000000006fff0e30 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007768c280 8 bytes JMP 000000006fff1028 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007768c470 8 bytes JMP 000000006fff11b0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007768c480 8 bytes JMP 000000006fff0ca8 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768c580 8 bytes JMP 000000006fff0c70 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007768c650 8 bytes JMP 000000006fff0f10 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007768c690 8 bytes JMP 000000006fff0d50 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007768c700 8 bytes JMP 000000006fff0ce0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007768c730 1 byte JMP 000000006fff0dc0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort + 2 000000007768c732 6 bytes {JMP 0xfffffffff8964690} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007768c790 8 bytes JMP 000000006fff0d88 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007768c7a0 8 bytes JMP 000000006fff10d0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007768c7b0 8 bytes JMP 000000006fff1178 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007768cb20 8 bytes JMP 000000006fff0f48 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007768cbb0 8 bytes JMP 000000006fff1108 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007768d420 8 bytes JMP 000000006fff0f80 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007768d4a0 8 bytes JMP 000000006fff0e68 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007768d520 8 bytes JMP 000000006fff0ea0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007768be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007768bef0 8 bytes JMP 000000006fff1140 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768bff0 8 bytes JMP 000000006fff0ed8 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007768c060 8 bytes JMP 000000006fff1060 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768c0a0 8 bytes JMP 000000006fff0ff0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007768c140 8 bytes JMP 000000006fff1098 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768c1b0 8 bytes JMP 000000006fff0d18 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768c1d0 8 bytes JMP 000000006fff0fb8 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768c210 8 bytes JMP 000000006fff0df8 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768c260 8 bytes JMP 000000006fff0e30 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007768c280 8 bytes JMP 000000006fff1028 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007768c470 8 bytes JMP 000000006fff11b0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007768c480 8 bytes JMP 000000006fff0ca8 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768c580 8 bytes JMP 000000006fff0c70 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007768c650 8 bytes JMP 000000006fff0f10 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007768c690 8 bytes JMP 000000006fff0d50 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007768c700 8 bytes JMP 000000006fff0ce0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007768c730 1 byte JMP 000000006fff0dc0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort + 2 000000007768c732 6 bytes {JMP 0xfffffffff8964690} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007768c790 8 bytes JMP 000000006fff0d88 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007768c7a0 8 bytes JMP 000000006fff10d0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007768c7b0 8 bytes JMP 000000006fff1178 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007768cb20 8 bytes JMP 000000006fff0f48 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007768cbb0 8 bytes JMP 000000006fff1108 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007768d420 8 bytes JMP 000000006fff0f80 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007768d4a0 8 bytes JMP 000000006fff0e68 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007768d520 8 bytes JMP 000000006fff0ea0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd826d10 11 bytes JMP 000007fefd0c0180 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768beb0 8 bytes JMP 000000006fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007768c060 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007768c280 1 byte JMP 000000006fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 2 000000007768c282 6 bytes {JMP 0xfffffffff8963e90} .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007768be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007768bef0 8 bytes JMP 000000006fff1140 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768bff0 8 bytes JMP 000000006fff0ed8 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007768c060 8 bytes JMP 000000006fff1060 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768c0a0 8 bytes JMP 000000006fff0ff0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007768c140 8 bytes JMP 000000006fff1098 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768c1b0 8 bytes JMP 000000006fff0d18 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768c1d0 8 bytes JMP 000000006fff0fb8 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768c210 8 bytes JMP 000000006fff0df8 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768c260 8 bytes JMP 000000006fff0e30 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007768c280 8 bytes JMP 000000006fff1028 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007768c470 8 bytes JMP 000000006fff11b0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007768c480 8 bytes JMP 000000006fff0ca8 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768c580 8 bytes JMP 000000006fff0c70 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007768c650 8 bytes JMP 000000006fff0f10 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007768c690 8 bytes JMP 000000006fff0d50 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007768c700 8 bytes JMP 000000006fff0ce0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007768c730 1 byte JMP 000000006fff0dc0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort + 2 000000007768c732 6 bytes {JMP 0xfffffffff8964690} .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007768c790 8 bytes JMP 000000006fff0d88 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007768c7a0 8 bytes JMP 000000006fff10d0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007768c7b0 8 bytes JMP 000000006fff1178 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007768cb20 8 bytes JMP 000000006fff0f48 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007768cbb0 8 bytes JMP 000000006fff1108 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007768d420 8 bytes JMP 000000006fff0f80 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007768d4a0 8 bytes JMP 000000006fff0e68 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007768d520 8 bytes JMP 000000006fff0ea0 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662280 5 bytes JMP 000000006fff0110 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007768be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007768bef0 8 bytes JMP 000000006fff1140 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768bff0 8 bytes JMP 000000006fff0ed8 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007768c060 8 bytes JMP 000000006fff1060 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768c0a0 8 bytes JMP 000000006fff0ff0 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007768c140 8 bytes JMP 000000006fff1098 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768c1b0 8 bytes JMP 000000006fff0d18 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768c1d0 8 bytes JMP 000000006fff0fb8 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768c210 8 bytes JMP 000000006fff0df8 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768c260 8 bytes JMP 000000006fff0e30 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007768c280 8 bytes JMP 000000006fff1028 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007768c470 8 bytes JMP 000000006fff11b0 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007768c480 8 bytes JMP 000000006fff0ca8 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768c580 8 bytes JMP 000000006fff0c70 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007768c650 8 bytes JMP 000000006fff0f10 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007768c690 8 bytes JMP 000000006fff0d50 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007768c700 8 bytes JMP 000000006fff0ce0 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007768c730 1 byte JMP 000000006fff0dc0 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort + 2 000000007768c732 6 bytes {JMP 0xfffffffff8964690} .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007768c790 8 bytes JMP 000000006fff0d88 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007768c7a0 8 bytes JMP 000000006fff10d0 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007768c7b0 8 bytes JMP 000000006fff1178 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007768cb20 8 bytes JMP 000000006fff0f48 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007768cbb0 8 bytes JMP 000000006fff1108 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007768d420 8 bytes JMP 000000006fff0f80 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007768d4a0 8 bytes JMP 000000006fff0e68 .text C:\Windows\System32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007768d520 8 bytes JMP 000000006fff0ea0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662280 5 bytes JMP 000000006fff0110 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007768be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007768bef0 8 bytes JMP 000000006fff1140 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768bff0 8 bytes JMP 000000006fff0ed8 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007768c060 8 bytes JMP 000000006fff1060 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768c0a0 8 bytes JMP 000000006fff0ff0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007768c140 8 bytes JMP 000000006fff1098 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768c1b0 8 bytes JMP 000000006fff0d18 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768c1d0 8 bytes JMP 000000006fff0fb8 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768c210 8 bytes JMP 000000006fff0df8 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768c260 8 bytes JMP 000000006fff0e30 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007768c280 8 bytes JMP 000000006fff1028 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007768c470 8 bytes JMP 000000006fff11b0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007768c480 8 bytes JMP 000000006fff0ca8 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768c580 8 bytes JMP 000000006fff0c70 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007768c650 8 bytes JMP 000000006fff0f10 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007768c690 8 bytes JMP 000000006fff0d50 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007768c700 8 bytes JMP 000000006fff0ce0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007768c730 1 byte JMP 000000006fff0dc0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort + 2 000000007768c732 6 bytes {JMP 0xfffffffff8964690} .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007768c790 8 bytes JMP 000000006fff0d88 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007768c7a0 8 bytes JMP 000000006fff10d0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007768c7b0 8 bytes JMP 000000006fff1178 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007768cb20 8 bytes JMP 000000006fff0f48 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007768cbb0 8 bytes JMP 000000006fff1108 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007768d420 8 bytes JMP 000000006fff0f80 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007768d4a0 8 bytes JMP 000000006fff0e68 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007768d520 8 bytes JMP 000000006fff0ea0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4c3a50 7 bytes JMP 000007fefd0c0148 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007768be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007768bef0 8 bytes JMP 000000006fff1140 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768bff0 8 bytes JMP 000000006fff0ed8 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007768c060 8 bytes JMP 000000006fff1060 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768c0a0 8 bytes JMP 000000006fff0ff0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007768c140 8 bytes JMP 000000006fff1098 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768c1b0 8 bytes JMP 000000006fff0d18 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768c1d0 8 bytes JMP 000000006fff0fb8 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768c210 8 bytes JMP 000000006fff0df8 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768c260 8 bytes JMP 000000006fff0e30 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007768c280 8 bytes JMP 000000006fff1028 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007768c470 8 bytes JMP 000000006fff11b0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007768c480 8 bytes JMP 000000006fff0ca8 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768c580 8 bytes JMP 000000006fff0c70 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007768c650 8 bytes JMP 000000006fff0f10 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007768c690 8 bytes JMP 000000006fff0d50 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007768c700 8 bytes JMP 000000006fff0ce0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007768c730 1 byte JMP 000000006fff0dc0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort + 2 000000007768c732 6 bytes {JMP 0xfffffffff8964690} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007768c790 8 bytes JMP 000000006fff0d88 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007768c7a0 8 bytes JMP 000000006fff10d0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007768c7b0 8 bytes JMP 000000006fff1178 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007768cb20 8 bytes JMP 000000006fff0f48 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007768cbb0 8 bytes JMP 000000006fff1108 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007768d420 8 bytes JMP 000000006fff0f80 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007768d4a0 8 bytes JMP 000000006fff0e68 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007768d520 8 bytes JMP 000000006fff0ea0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077522b60 13 bytes JMP 000000006fff0260 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077531870 5 bytes JMP 000000006fff0180 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dd20 5 bytes JMP 000000006fff0148 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000775af6e0 8 bytes JMP 000000006fff0340 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000775af710 5 bytes JMP 000000006fff02d0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!MoveFileW 00000000775af7e0 10 bytes JMP 000000006fff01f0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000775af8e0 8 bytes JMP 000000006fff0308 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000775af910 10 bytes JMP 000000006fff0228 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!MoveFileA 00000000775af940 10 bytes JMP 000000006fff01b8 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000775b5730 5 bytes JMP 000000006fff0298 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4c3a50 7 bytes JMP 000007fefd0c0148 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefdb22930 5 bytes JMP 000007fefd0c01b8 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd826d10 11 bytes JMP 000007fefd0c0180 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662280 5 bytes JMP 000000006fff0110 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007768be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007768bef0 8 bytes JMP 000000006fff1140 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768bff0 8 bytes JMP 000000006fff0ed8 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007768c060 8 bytes JMP 000000006fff1060 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768c0a0 8 bytes JMP 000000006fff0ff0 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007768c140 8 bytes JMP 000000006fff1098 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768c1b0 8 bytes JMP 000000006fff0d18 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768c1d0 8 bytes JMP 000000006fff0fb8 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768c210 8 bytes JMP 000000006fff0df8 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768c260 8 bytes JMP 000000006fff0e30 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007768c280 8 bytes JMP 000000006fff1028 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007768c470 8 bytes JMP 000000006fff11b0 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007768c480 8 bytes JMP 000000006fff0ca8 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768c580 8 bytes JMP 000000006fff0c70 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007768c650 8 bytes JMP 000000006fff0f10 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007768c690 8 bytes JMP 000000006fff0d50 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007768c700 8 bytes JMP 000000006fff0ce0 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007768c730 1 byte JMP 000000006fff0dc0 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort + 2 000000007768c732 6 bytes {JMP 0xfffffffff8964690} .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007768c790 8 bytes JMP 000000006fff0d88 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007768c7a0 8 bytes JMP 000000006fff10d0 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007768c7b0 8 bytes JMP 000000006fff1178 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007768cb20 8 bytes JMP 000000006fff0f48 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007768cbb0 8 bytes JMP 000000006fff1108 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007768d420 8 bytes JMP 000000006fff0f80 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007768d4a0 8 bytes JMP 000000006fff0e68 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007768d520 8 bytes JMP 000000006fff0ea0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007768be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007768bef0 8 bytes JMP 000000006fff1140 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768bff0 8 bytes JMP 000000006fff0ed8 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007768c060 8 bytes JMP 000000006fff1060 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768c0a0 8 bytes JMP 000000006fff0ff0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007768c140 8 bytes JMP 000000006fff1098 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768c1b0 8 bytes JMP 000000006fff0d18 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768c1d0 8 bytes JMP 000000006fff0fb8 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768c210 8 bytes JMP 000000006fff0df8 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768c260 8 bytes JMP 000000006fff0e30 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007768c280 8 bytes JMP 000000006fff1028 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007768c470 8 bytes JMP 000000006fff11b0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007768c480 8 bytes JMP 000000006fff0ca8 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768c580 8 bytes JMP 000000006fff0c70 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007768c650 8 bytes JMP 000000006fff0f10 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007768c690 8 bytes JMP 000000006fff0d50 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007768c700 8 bytes JMP 000000006fff0ce0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007768c730 1 byte JMP 000000006fff0dc0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort + 2 000000007768c732 6 bytes {JMP 0xfffffffff8964690} .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007768c790 8 bytes JMP 000000006fff0d88 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007768c7a0 8 bytes JMP 000000006fff10d0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007768c7b0 8 bytes JMP 000000006fff1178 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007768cb20 8 bytes JMP 000000006fff0f48 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007768cbb0 8 bytes JMP 000000006fff1108 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007768d420 8 bytes JMP 000000006fff0f80 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007768d4a0 8 bytes JMP 000000006fff0e68 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007768d520 8 bytes JMP 000000006fff0ea0 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662280 5 bytes JMP 000000006fff0110 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007768be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007768bef0 8 bytes JMP 000000006fff1140 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768bff0 8 bytes JMP 000000006fff0ed8 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007768c060 8 bytes JMP 000000006fff1060 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768c0a0 8 bytes JMP 000000006fff0ff0 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007768c140 8 bytes JMP 000000006fff1098 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768c1b0 8 bytes JMP 000000006fff0d18 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768c1d0 8 bytes JMP 000000006fff0fb8 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768c210 8 bytes JMP 000000006fff0df8 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768c260 8 bytes JMP 000000006fff0e30 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007768c280 8 bytes JMP 000000006fff1028 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007768c470 8 bytes JMP 000000006fff11b0 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007768c480 8 bytes JMP 000000006fff0ca8 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768c580 8 bytes JMP 000000006fff0c70 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007768c650 8 bytes JMP 000000006fff0f10 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007768c690 8 bytes JMP 000000006fff0d50 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007768c700 8 bytes JMP 000000006fff0ce0 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007768c730 1 byte JMP 000000006fff0dc0 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort + 2 000000007768c732 6 bytes {JMP 0xfffffffff8964690} .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007768c790 8 bytes JMP 000000006fff0d88 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007768c7a0 8 bytes JMP 000000006fff10d0 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007768c7b0 8 bytes JMP 000000006fff1178 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007768cb20 8 bytes JMP 000000006fff0f48 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007768cbb0 8 bytes JMP 000000006fff1108 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007768d420 8 bytes JMP 000000006fff0f80 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007768d4a0 8 bytes JMP 000000006fff0e68 .text C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007768d520 8 bytes JMP 000000006fff0ea0 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077522b60 13 bytes JMP 000000006fff0260 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077531870 5 bytes JMP 000000006fff0180 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dd20 5 bytes JMP 000000006fff0148 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000775af6e0 8 bytes JMP 000000006fff0340 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000775af710 5 bytes JMP 000000006fff02d0 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\kernel32.dll!MoveFileW 00000000775af7e0 10 bytes JMP 000000006fff01f0 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000775af8e0 8 bytes JMP 000000006fff0308 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000775af910 10 bytes JMP 000000006fff0228 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\kernel32.dll!MoveFileA 00000000775af940 10 bytes JMP 000000006fff01b8 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000775b5730 5 bytes JMP 000000006fff0298 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4c3a50 7 bytes JMP 000007fefd0c0148 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2222e0 5 bytes JMP 000007fefd0c02d0 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\GDI32.dll!BitBlt 000007feff222390 5 bytes JMP 000007fefd0c0308 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff223e20 5 bytes JMP 000007fefd0c0298 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff227574 5 bytes JMP 000007fefd0c0340 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff2281f4 9 bytes JMP 000007fefd0c01f0 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff228824 9 bytes JMP 000007fefd0c01b8 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\GDI32.dll!GetPixel 000007feff228d7c 5 bytes JMP 000007fefd0c0228 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff22bab4 5 bytes JMP 000007fefd0c03b0 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff22c7b0 5 bytes JMP 000007fefd0c0378 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff2352c0 5 bytes JMP 000007fefd0c0260 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SwitchDesktop 0000000077425330 7 bytes JMP 000000006fff0c00 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077426ea0 8 bytes JMP 000000006fff0960 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000774280e4 7 bytes JMP 000000006fff0ae8 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SetParent 0000000077428480 8 bytes JMP 000000006fff0998 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077429b10 6 bytes JMP 000000006fff0490 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!PostMessageA 000000007742a354 5 bytes JMP 000000006fff0570 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!EnableWindow 000000007742aa00 9 bytes JMP 000000006fff0b58 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!MoveWindow 000000007742aa30 8 bytes JMP 000000006fff09d0 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SetWindowLongPtrA 000000007742b474 6 bytes JMP 000000006fff0500 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007742c63c 5 bytes JMP 000000006fff0928 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007742cc90 8 bytes JMP 000000006fff0ab0 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007742d204 5 bytes JMP 000000006fff05e0 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SendMessageA 000000007742d290 5 bytes JMP 000000006fff0650 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007742dbc0 9 bytes JMP 000000006fff07d8 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007742f490 1 byte JMP 000000006fff0b20 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SystemParametersInfoW + 2 000000007742f492 5 bytes {JMP 0xfffffffff8bc1690} .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007742f804 9 bytes JMP 000000006fff0420 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007742fa50 9 bytes JMP 000000006fff06f8 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077430b14 10 bytes JMP 000000006fff0618 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000077433340 8 bytes JMP 000000006fff04c8 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077434ccc 5 bytes JMP 000000006fff0458 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!GetKeyState 0000000077434f80 5 bytes JMP 000000006fff08f0 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000774353d0 7 bytes JMP 000000006fff0768 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SendMessageW 0000000077436b04 5 bytes JMP 000000006fff0688 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SetWindowLongPtrW 00000000774376ac 8 bytes JMP 000000006fff0538 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!PostMessageW 00000000774376d4 7 bytes JMP 000000006fff05a8 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007743dd9c 5 bytes JMP 000000006fff0848 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!GetClipboardData 000000007743e854 5 bytes JMP 000000006fff0a78 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007743f780 8 bytes JMP 000000006fff0a08 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000774428d4 12 bytes JMP 000000006fff07a0 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!mouse_event 0000000077443874 7 bytes JMP 000000006fff03b0 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000774489c0 8 bytes JMP 000000006fff08b8 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077448b88 12 bytes JMP 000000006fff06c0 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077448bd0 12 bytes JMP 000000006fff03e8 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SendInput 0000000077448c90 8 bytes JMP 000000006fff0880 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!BlockInput 000000007744ad10 8 bytes JMP 000000006fff0a40 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!ClipCursor 000000007744ad60 8 bytes JMP 000000006fff0bc8 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000077471534 5 bytes JMP 000000006fff0b90 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SetSystemCursor 00000000774945b0 5 bytes JMP 000000006fff0c38 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!keybd_event 0000000077494610 7 bytes JMP 000000006fff0378 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007749cc7c 5 bytes JMP 000000006fff0810 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007749df8c 7 bytes JMP 000000006fff0730 .text C:\Windows\Explorer.EXE[1752] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd826d10 11 bytes JMP 000007fefd0c0180 .text C:\Windows\System32\svchost.exe[1876] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4c3a50 7 bytes JMP 000007fefd0c0148 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007783f9f0 5 bytes JMP 0000000074fa2c50 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007783fb38 5 bytes JMP 0000000074f983c0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007783fcc0 5 bytes JMP 0000000074f97970 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007783fd74 5 bytes JMP 0000000074f99180 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007783fdd8 5 bytes JMP 0000000074f98760 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007783fed0 5 bytes JMP 0000000074f9ac90 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007783ff84 5 bytes JMP 0000000074f96be0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007783ffb4 5 bytes JMP 0000000074f98970 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077840014 5 bytes JMP 0000000074f97530 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077840094 5 bytes JMP 0000000074f97780 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778400c4 5 bytes JMP 0000000074f98d20 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778403c8 5 bytes JMP 0000000074f9a180 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000778403e0 5 bytes JMP 0000000074f9ba50 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077840560 5 bytes JMP 0000000074f9b770 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778406a4 5 bytes JMP 0000000074f97b60 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077840704 5 bytes JMP 0000000074f9bb60 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778407ac 5 bytes JMP 0000000074f96ad0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000778407f4 5 bytes JMP 0000000074f9bc70 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077840884 5 bytes JMP 0000000074f96cf0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007784089c 5 bytes JMP 0000000074f9af60 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778408b4 5 bytes JMP 0000000074f9a6b0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077840e04 5 bytes JMP 0000000074f97dd0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077840ee8 5 bytes JMP 0000000074f981d0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077841bf4 5 bytes JMP 0000000074f97fc0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077841cc4 5 bytes JMP 0000000074f9ab40 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077841d9c 5 bytes JMP 0000000074f985b0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007785d2f6 7 bytes JMP 0000000074fa2ad0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076293bbb 5 bytes JMP 0000000074f95740 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076299abc 5 bytes JMP 0000000074f8f260 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000762a3b7a 7 bytes JMP 0000000074f8fe20 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000762acd11 5 bytes JMP 0000000074f8ef50 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000762fddde 7 bytes JMP 0000000074f8f490 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1276] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000762fde81 7 bytes JMP 0000000074f8f7a0 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007768be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007768bef0 8 bytes JMP 000000006fff1140 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768bff0 8 bytes JMP 000000006fff0ed8 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007768c060 8 bytes JMP 000000006fff1060 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768c0a0 8 bytes JMP 000000006fff0ff0 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007768c140 8 bytes JMP 000000006fff1098 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768c1b0 8 bytes JMP 000000006fff0d18 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768c1d0 8 bytes JMP 000000006fff0fb8 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768c210 8 bytes JMP 000000006fff0df8 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768c260 8 bytes JMP 000000006fff0e30 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007768c280 8 bytes JMP 000000006fff1028 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007768c470 8 bytes JMP 000000006fff11b0 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007768c480 8 bytes JMP 000000006fff0ca8 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768c580 8 bytes JMP 000000006fff0c70 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007768c650 8 bytes JMP 000000006fff0f10 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007768c690 8 bytes JMP 000000006fff0d50 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007768c700 8 bytes JMP 000000006fff0ce0 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007768c730 1 byte JMP 000000006fff0dc0 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort + 2 000000007768c732 6 bytes {JMP 0xfffffffff8964690} .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007768c790 8 bytes JMP 000000006fff0d88 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007768c7a0 8 bytes JMP 000000006fff10d0 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007768c7b0 8 bytes JMP 000000006fff1178 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007768cb20 8 bytes JMP 000000006fff0f48 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007768cbb0 8 bytes JMP 000000006fff1108 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007768d420 8 bytes JMP 000000006fff0f80 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007768d4a0 8 bytes JMP 000000006fff0e68 .text C:\Windows\system32\taskhost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007768d520 8 bytes JMP 000000006fff0ea0 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768beb0 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007768c060 8 bytes JMP 000000006fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007768c280 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007768be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007768bef0 8 bytes JMP 000000006fff1140 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768bff0 8 bytes JMP 000000006fff0ed8 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007768c060 8 bytes JMP 000000006fff1060 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768c0a0 8 bytes JMP 000000006fff0ff0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007768c140 8 bytes JMP 000000006fff1098 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768c1b0 8 bytes JMP 000000006fff0d18 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768c1d0 8 bytes JMP 000000006fff0fb8 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768c210 8 bytes JMP 000000006fff0df8 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768c260 8 bytes JMP 000000006fff0e30 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007768c280 8 bytes JMP 000000006fff1028 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007768c470 8 bytes JMP 000000006fff11b0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007768c480 8 bytes JMP 000000006fff0ca8 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768c580 8 bytes JMP 000000006fff0c70 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007768c650 8 bytes JMP 000000006fff0f10 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007768c690 8 bytes JMP 000000006fff0d50 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007768c700 8 bytes JMP 000000006fff0ce0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007768c730 1 byte JMP 000000006fff0dc0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort + 2 000000007768c732 6 bytes {JMP 0xfffffffff8964690} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007768c790 8 bytes JMP 000000006fff0d88 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007768c7a0 8 bytes JMP 000000006fff10d0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007768c7b0 8 bytes JMP 000000006fff1178 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007768cb20 8 bytes JMP 000000006fff0f48 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007768cbb0 8 bytes JMP 000000006fff1108 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007768d420 8 bytes JMP 000000006fff0f80 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007768d4a0 8 bytes JMP 000000006fff0e68 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007768d520 8 bytes JMP 000000006fff0ea0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4c3a50 7 bytes JMP 000007fefd0c0148 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2222e0 5 bytes JMP 000007fefd0c02d0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\GDI32.dll!BitBlt 000007feff222390 5 bytes JMP 000007fefd0c0308 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff223e20 5 bytes JMP 000007fefd0c0298 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff227574 5 bytes JMP 000007fefd0c0340 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff2281f4 9 bytes JMP 000007fefd0c01f0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff228824 9 bytes JMP 000007fefd0c01b8 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\GDI32.dll!GetPixel 000007feff228d7c 5 bytes JMP 000007fefd0c0228 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff22bab4 5 bytes JMP 000007fefd0c03b0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff22c7b0 5 bytes JMP 000007fefd0c0378 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff2352c0 5 bytes JMP 000007fefd0c0260 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd826d10 11 bytes JMP 000007fefd0c0180 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768beb0 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662280 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007768be20 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007768bef0 8 bytes JMP 000000006fff1140 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768bff0 8 bytes JMP 000000006fff0ed8 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007768c060 8 bytes JMP 000000006fff1060 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768c0a0 8 bytes JMP 000000006fff0ff0 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007768c140 8 bytes JMP 000000006fff1098 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768c1b0 8 bytes JMP 000000006fff0d18 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768c1d0 8 bytes JMP 000000006fff0fb8 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768c210 8 bytes JMP 000000006fff0df8 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768c260 8 bytes JMP 000000006fff0e30 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007768c280 8 bytes JMP 000000006fff1028 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007768c470 8 bytes JMP 000000006fff11b0 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007768c480 8 bytes JMP 000000006fff0ca8 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768c580 8 bytes JMP 000000006fff0c70 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007768c650 8 bytes JMP 000000006fff0f10 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007768c690 8 bytes JMP 000000006fff0d50 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007768c700 8 bytes JMP 000000006fff0ce0 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007768c730 1 byte JMP 000000006fff0dc0 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort + 2 000000007768c732 6 bytes {JMP 0xfffffffff8964690} .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007768c790 8 bytes JMP 000000006fff0d88 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007768c7a0 8 bytes JMP 000000006fff10d0 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007768c7b0 8 bytes JMP 000000006fff1178 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007768cb20 8 bytes JMP 000000006fff0f48 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007768cbb0 8 bytes JMP 000000006fff1108 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007768d420 8 bytes JMP 000000006fff0f80 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007768d4a0 8 bytes JMP 000000006fff0e68 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007768d520 8 bytes JMP 000000006fff0ea0 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd826d10 11 bytes JMP 000007fefd0c0180 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662280 5 bytes JMP 000000006fff0110 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007768be20 8 bytes JMP 000000006fff00d8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007768bef0 8 bytes JMP 000000006fff12c8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768bff0 8 bytes JMP 000000006fff1060 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007768c060 8 bytes JMP 000000006fff11e8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768c0a0 8 bytes JMP 000000006fff1178 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007768c140 8 bytes JMP 000000006fff1220 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768c1b0 8 bytes JMP 000000006fff0ea0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768c1d0 8 bytes JMP 000000006fff1140 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768c210 8 bytes JMP 000000006fff0f80 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768c260 8 bytes JMP 000000006fff0fb8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007768c280 8 bytes JMP 000000006fff11b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007768c470 8 bytes JMP 000000006fff1338 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007768c480 8 bytes JMP 000000006fff0e30 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768c580 8 bytes JMP 000000006fff0df8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007768c650 8 bytes JMP 000000006fff1098 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007768c690 8 bytes JMP 000000006fff0ed8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007768c700 8 bytes JMP 000000006fff0e68 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007768c730 8 bytes JMP 000000006fff0f48 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007768c790 8 bytes JMP 000000006fff0f10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007768c7a0 8 bytes JMP 000000006fff1258 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007768c7b0 8 bytes JMP 000000006fff1300 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007768cb20 8 bytes JMP 000000006fff10d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007768cbb0 8 bytes JMP 000000006fff1290 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007768d420 8 bytes JMP 000000006fff1108 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007768d4a0 8 bytes JMP 000000006fff0ff0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007768d520 8 bytes JMP 000000006fff1028 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077522b60 13 bytes JMP 000000006fff0260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077531870 5 bytes JMP 000000006fff0180 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dd20 5 bytes JMP 000000006fff0148 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000775af6e0 8 bytes JMP 000000006fff0340 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000775af710 5 bytes JMP 000000006fff02d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\kernel32.dll!MoveFileW 00000000775af7e0 10 bytes JMP 000000006fff01f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000775af8e0 8 bytes JMP 000000006fff0308 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000775af910 10 bytes JMP 000000006fff0228 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\kernel32.dll!MoveFileA 00000000775af940 10 bytes JMP 000000006fff01b8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000775b5730 5 bytes JMP 000000006fff0298 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4c3a50 7 bytes JMP 000007fefd0c0148 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2222e0 5 bytes JMP 000007fefd0c02d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\GDI32.dll!BitBlt 000007feff222390 5 bytes JMP 000007fefd0c0308 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff223e20 5 bytes JMP 000007fefd0c0298 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff227574 5 bytes JMP 000007fefd0c0340 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff2281f4 9 bytes JMP 000007fefd0c01f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff228824 9 bytes JMP 000007fefd0c01b8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\GDI32.dll!GetPixel 000007feff228d7c 5 bytes JMP 000007fefd0c0228 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff22bab4 5 bytes JMP 000007fefd0c03b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff22c7b0 5 bytes JMP 000007fefd0c0378 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff2352c0 5 bytes JMP 000007fefd0c0260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd826d10 11 bytes JMP 000007fefd0c0180 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007768be00 7 bytes [48, B8, 60, 0D, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007768be08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007768bf70 7 bytes [48, B8, E0, 0D, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007768bf78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768bf90 7 bytes [48, B8, D0, 11, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007768bf98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007768bfa0 7 bytes [48, B8, C0, 0F, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007768bfa8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007768bfb0 7 bytes [48, B8, 40, 0C, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007768bfb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007768bfd0 7 bytes [48, B8, B0, 0C, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007768bfd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007768c020 7 bytes [48, B8, 50, 0E, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007768c028 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007768c030 7 bytes [48, B8, 20, 12, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007768c038 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007768c060 7 bytes [48, B8, 40, 0F, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007768c068 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007768c100 7 bytes [48, B8, 80, 0F, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007768c108 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007768c280 7 bytes [48, B8, C0, 0E, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007768c288 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007768ccf0 7 bytes [48, B8, 00, 12, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007768ccf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007768cd40 7 bytes [48, B8, A0, 11, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007768cd48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007768ce90 7 bytes [48, B8, A0, 0F, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007768ce98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007768be00 7 bytes [48, B8, 60, 0D, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007768be08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007768bf70 7 bytes [48, B8, E0, 0D, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007768bf78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768bf90 7 bytes [48, B8, D0, 11, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007768bf98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007768bfa0 7 bytes [48, B8, C0, 0F, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007768bfa8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007768bfb0 7 bytes [48, B8, 40, 0C, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007768bfb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007768bfd0 7 bytes [48, B8, B0, 0C, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007768bfd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007768c020 7 bytes [48, B8, 50, 0E, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007768c028 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007768c030 7 bytes [48, B8, 20, 12, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007768c038 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007768c060 7 bytes [48, B8, 40, 0F, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007768c068 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007768c100 7 bytes [48, B8, 80, 0F, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007768c108 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007768c280 7 bytes [48, B8, C0, 0E, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007768c288 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007768ccf0 7 bytes [48, B8, 00, 12, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007768ccf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007768cd40 7 bytes [48, B8, A0, 11, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007768cd48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007768ce90 7 bytes [48, B8, A0, 0F, 1B, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007768ce98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662280 5 bytes JMP 000000006fff0110 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007768be20 8 bytes JMP 000000006fff00d8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007768bef0 8 bytes JMP 000000006fff12c8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768bff0 8 bytes JMP 000000006fff1060 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007768c060 8 bytes JMP 000000006fff11e8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768c0a0 8 bytes JMP 000000006fff1178 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007768c140 8 bytes JMP 000000006fff1220 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768c1b0 8 bytes JMP 000000006fff0ea0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768c1d0 8 bytes JMP 000000006fff1140 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768c210 8 bytes JMP 000000006fff0f80 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768c260 8 bytes JMP 000000006fff0fb8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007768c280 8 bytes JMP 000000006fff11b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007768c470 8 bytes JMP 000000006fff1338 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007768c480 8 bytes JMP 000000006fff0e30 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768c580 8 bytes JMP 000000006fff0df8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007768c650 8 bytes JMP 000000006fff1098 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007768c690 8 bytes JMP 000000006fff0ed8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007768c700 8 bytes JMP 000000006fff0e68 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007768c730 8 bytes JMP 000000006fff0f48 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007768c790 8 bytes JMP 000000006fff0f10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007768c7a0 8 bytes JMP 000000006fff1258 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007768c7b0 8 bytes JMP 000000006fff1300 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007768cb20 8 bytes JMP 000000006fff10d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007768cbb0 8 bytes JMP 000000006fff1290 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007768d420 8 bytes JMP 000000006fff1108 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007768d4a0 8 bytes JMP 000000006fff0ff0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007768d520 8 bytes JMP 000000006fff1028 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4c3a50 7 bytes JMP 000007fefd0c0148 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2222e0 5 bytes JMP 000007fefd0c02d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\GDI32.dll!BitBlt 000007feff222390 5 bytes JMP 000007fefd0c0308 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007feff223e20 5 bytes JMP 000007fefd0c0298 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff227574 5 bytes JMP 000007fefd0c0340 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff2281f4 9 bytes JMP 000007fefd0c01f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff228824 9 bytes JMP 000007fefd0c01b8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\GDI32.dll!GetPixel 000007feff228d7c 5 bytes JMP 000007fefd0c0228 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff22bab4 5 bytes JMP 000007fefd0c03b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff22c7b0 5 bytes JMP 000007fefd0c0378 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007feff2352c0 5 bytes JMP 000007fefd0c0260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SwitchDesktop 0000000077425330 7 bytes JMP 000000006fff0d88 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077426ea0 8 bytes JMP 000000006fff0ae8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000774280e4 7 bytes JMP 000000006fff0c70 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SetParent 0000000077428480 8 bytes JMP 000000006fff0b20 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077429b10 6 bytes JMP 000000006fff0618 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!PostMessageA 000000007742a354 5 bytes JMP 000000006fff06f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!EnableWindow 000000007742aa00 9 bytes JMP 000000006fff0ce0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!MoveWindow 000000007742aa30 8 bytes JMP 000000006fff0b58 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SetWindowLongPtrA 000000007742b474 6 bytes JMP 000000006fff0688 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007742c63c 5 bytes JMP 000000006fff0ab0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007742cc90 8 bytes JMP 000000006fff0c38 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007742d204 5 bytes JMP 000000006fff0768 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SendMessageA 000000007742d290 5 bytes JMP 000000006fff07d8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007742dbc0 9 bytes JMP 000000006fff0960 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007742f490 7 bytes JMP 000000006fff0ca8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007742f804 9 bytes JMP 000000006fff05a8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007742fa50 9 bytes JMP 000000006fff0880 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077430b14 10 bytes JMP 000000006fff07a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000077433340 8 bytes JMP 000000006fff0650 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!PeekMessageA 00000000774339b0 5 bytes JMP 000000006fff0458 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077434ccc 5 bytes JMP 000000006fff05e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!GetKeyState 0000000077434f80 5 bytes JMP 000000006fff0a78 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000774353d0 7 bytes JMP 000000006fff08f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!GetMessageA 00000000774360d0 7 bytes JMP 000000006fff03e8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!IsDialogMessageW 0000000077436680 5 bytes JMP 000000006fff0538 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SendMessageW 0000000077436b04 5 bytes JMP 000000006fff0810 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SetWindowLongPtrW 00000000774376ac 8 bytes JMP 000000006fff06c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!PostMessageW 00000000774376d4 7 bytes JMP 000000006fff0730 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!PeekMessageW 0000000077438fd4 5 bytes JMP 000000006fff0490 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!TranslateMessage 00000000774396e0 6 bytes JMP 000000006fff04c8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!GetMessageW 0000000077439e54 6 bytes JMP 000000006fff0420 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007743dd9c 5 bytes JMP 000000006fff09d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!GetClipboardData 000000007743e854 5 bytes JMP 000000006fff0c00 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007743f780 8 bytes JMP 000000006fff0b90 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000774428d4 12 bytes JMP 000000006fff0928 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!mouse_event 0000000077443874 7 bytes JMP 000000006fff03b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000774489c0 8 bytes JMP 000000006fff0a40 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077448b88 12 bytes JMP 000000006fff0848 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077448bd0 12 bytes JMP 000000006fff0570 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SendInput 0000000077448c90 8 bytes JMP 000000006fff0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!BlockInput 000000007744ad10 8 bytes JMP 000000006fff0bc8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!ClipCursor 000000007744ad60 8 bytes JMP 000000006fff0d50 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000077471534 5 bytes JMP 000000006fff0d18 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!IsDialogMessage 00000000774732b8 7 bytes JMP 000000006fff0500 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SetSystemCursor 00000000774945b0 5 bytes JMP 000000006fff0dc0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!keybd_event 0000000077494610 7 bytes JMP 000000006fff0378 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007749cc7c 5 bytes JMP 000000006fff0998 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4568] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007749df8c 7 bytes JMP 000000006fff08b8 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007783f9f0 5 bytes JMP 0000000074fa2c50 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007783fb38 5 bytes JMP 0000000074f983c0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007783fcc0 5 bytes JMP 0000000074f97970 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007783fd74 5 bytes JMP 0000000074f99180 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007783fdd8 5 bytes JMP 0000000074f98760 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007783fed0 5 bytes JMP 0000000074f9ac90 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007783ff84 5 bytes JMP 0000000074f96be0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007783ffb4 5 bytes JMP 0000000074f98970 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077840014 5 bytes JMP 0000000074f97530 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077840094 5 bytes JMP 0000000074f97780 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778400c4 5 bytes JMP 0000000074f98d20 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778403c8 5 bytes JMP 0000000074f9a180 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000778403e0 5 bytes JMP 0000000074f9ba50 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077840560 5 bytes JMP 0000000074f9b770 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778406a4 5 bytes JMP 0000000074f97b60 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077840704 5 bytes JMP 0000000074f9bb60 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778407ac 5 bytes JMP 0000000074f96ad0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000778407f4 5 bytes JMP 0000000074f9bc70 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077840884 5 bytes JMP 0000000074f96cf0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007784089c 5 bytes JMP 0000000074f9af60 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778408b4 5 bytes JMP 0000000074f9a6b0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077840e04 5 bytes JMP 0000000074f97dd0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077840ee8 5 bytes JMP 0000000074f981d0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077841bf4 5 bytes JMP 0000000074f97fc0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077841cc4 5 bytes JMP 0000000074f9ab40 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077841d9c 5 bytes JMP 0000000074f985b0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007785d2f6 7 bytes JMP 0000000074fa2ad0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076293bbb 5 bytes JMP 0000000074f95740 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076299abc 5 bytes JMP 0000000074f8f260 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000762a3b7a 7 bytes JMP 0000000074f8fe20 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000762acd11 5 bytes JMP 0000000074f8ef50 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000762fddde 7 bytes JMP 0000000074f8f490 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000762fde81 7 bytes JMP 0000000074f8f7a0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007689f8a7 5 bytes JMP 0000000074fa2ab0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 00000000768a2e0b 4 bytes CALL 71030000 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d58332 5 bytes JMP 0000000074fa3c20 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d58bff 5 bytes JMP 0000000074fa4590 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d590d3 7 bytes JMP 0000000074fa3640 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d59679 5 bytes JMP 0000000074fa4a80 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d597d2 5 bytes JMP 0000000074fa4ff0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d5ee21 5 bytes JMP 0000000074fa3810 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d5efe1 5 bytes JMP 0000000074fa7720 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d612bd 5 bytes JMP 0000000074fa40a0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d62797 5 bytes JMP 0000000074fa66b0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d63ef0 5 bytes JMP 0000000074fa6d60 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d645cc 5 bytes JMP 0000000074fa6f80 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d6460c 5 bytes JMP 0000000074fa7940 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d64713 5 bytes JMP 0000000074fa6920 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d647e5 5 bytes JMP 0000000074fa6410 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d64bbc 5 bytes JMP 0000000074fa3e00 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d64d1d 5 bytes JMP 0000000074fa4340 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d671e0 5 bytes JMP 0000000074fa3a40 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d671fe 5 bytes JMP 0000000074fa47e0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d67d59 7 bytes JMP 0000000074fa3460 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d681f5 5 bytes JMP 0000000074fa3140 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d6825a 5 bytes JMP 0000000074fa5a80 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d682d2 5 bytes JMP 0000000074fa5550 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d68411 5 bytes JMP 0000000074fa4d20 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d68f4c 5 bytes JMP 0000000074fa2e80 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d6cc1e 5 bytes JMP 0000000074fa7170 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!ClipCursor 0000000076d6f2b3 5 bytes JMP 0000000074fa7d50 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d7a072 5 bytes JMP 0000000074fa5d10 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d7dbf5 5 bytes JMP 0000000074fa5f60 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d7ff2a 5 bytes JMP 0000000074fa61b0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SwitchDesktop 0000000076d998b5 5 bytes JMP 0000000074fa7fb0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d99fa4 5 bytes JMP 0000000074fa7510 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076da1533 5 bytes JMP 0000000074fa7b70 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SetSystemCursor 0000000076db0299 5 bytes JMP 0000000074fa8150 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076db030f 5 bytes JMP 0000000074f90d70 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076db0353 5 bytes JMP 0000000074f90ba0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076db6d94 5 bytes JMP 0000000074fa52b0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076db6df5 5 bytes JMP 0000000074fa57f0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076db7e6f 5 bytes JMP 0000000074fa7340 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076db8983 5 bytes JMP 0000000074fa6b80 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000767258b3 5 bytes JMP 0000000074f91960 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076725ea5 5 bytes JMP 0000000074f90f80 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076727bcc 1 byte JMP 0000000074f908d0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\GDI32.dll!CreateDCA + 2 0000000076727bce 3 bytes {JMP 0xfffffffffe868d04} .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007672ae82 5 bytes JMP 0000000074f91f00 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007672b98a 5 bytes JMP 0000000074f91a30 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007672bd7d 5 bytes JMP 0000000074f916e0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007672c08c 5 bytes JMP 0000000074f91c70 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007672cf11 5 bytes JMP 0000000074f911f0 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007672e935 5 bytes JMP 0000000074f90a80 .text C:\Users\Home\Downloads\yodw66se.exe[4796] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076754aa2 5 bytes JMP 0000000074f91470 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001048e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001048c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001049654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001049a50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010498ac] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee8c89148] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee8c889c4] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee8c89130] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee8c89390] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1316] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee7dc25e8] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.110\chrome_child.dll ---- Devices - GMER 2.2 ---- Device \Driver\atapi \Device\Ide\IdePort4 fffffa80025d82c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80025d82c0 Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-7 fffffa80025d82c0 Device \Driver\atapi \Device\Ide\IdePort5 fffffa80025d82c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80025d82c0 Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-6 fffffa80025d82c0 Device \Driver\atapi \Device\Ide\IdePort6 fffffa80025d82c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80025d82c0 Device \Driver\atapi \Device\Ide\IdePort7 fffffa80025d82c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80025d82c0 Device \FileSystem\Ntfs \Ntfs fffffa80025de2c0 Device \FileSystem\fastfat \Fat fffffa8001bec2c0 Device \Driver\atapi \Device\ScsiPort7 fffffa80025d82c0 Device \Driver\usbehci \Device\USBFDO-7 fffffa80036eb2c0 Device \Driver\usbuhci \Device\USBPDO-5 fffffa80036d32c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa80036eb2c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa80036d32c0 Device \Driver\cdrom \Device\CdRom0 fffffa800318e2c0 Device \Driver\usbuhci \Device\USBPDO-6 fffffa80036d32c0 Device \Driver\USBSTOR \Device\00000065 fffffa80042aa2c0 Device \Driver\usbuhci \Device\USBFDO-4 fffffa80036d32c0 Device \Driver\usbuhci \Device\USBPDO-2 fffffa80036d32c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa80036d32c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{3DD134FF-061F-4834-AF54-C0C56F273933} fffffa80033052c0 Device \Driver\USBSTOR \Device\00000066 fffffa80042aa2c0 Device \Driver\usbehci \Device\USBPDO-7 fffffa80036eb2c0 Device \Driver\usbuhci \Device\USBFDO-5 fffffa80036d32c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa80036eb2c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa80036d32c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80033052c0 Device \Driver\usbuhci \Device\USBFDO-6 fffffa80036d32c0 Device \Driver\usbuhci \Device\USBPDO-4 fffffa80036d32c0 Device \Driver\usbuhci \Device\USBFDO-2 fffffa80036d32c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80025d82c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa80036d32c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80025d82c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{6EF8D372-1D30-4687-A562-E26C159E303B} fffffa80033052c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80025d82c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80025d82c0 Device \Driver\atapi \Device\ScsiPort4 fffffa80025d82c0 Device \Driver\atapi \Device\ScsiPort5 fffffa80025d82c0 Device \Driver\atapi \Device\ScsiPort6 fffffa80025d82c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80025d82c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa80025d82c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80028b1060] fffffa80028b1060 Trace 3 CLASSPNP.SYS[fffff8800140143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T0L0-6[0xfffffa8002707680] fffffa8002707680 Trace \Driver\atapi[0xfffffa80026c5060] -> IRP_MJ_CREATE -> 0xfffffa80025d82c0 fffffa80025d82c0 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\svchost.exe [1544:2172] 000007fef7367130 Thread C:\Windows\system32\svchost.exe [1544:2176] 000007fef735d5c0 Thread C:\Windows\system32\svchost.exe [1600:2400] 000007fef4fc6e5c Thread C:\Windows\system32\svchost.exe [1600:1548] 000007fef4fc5708 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00081b02985f Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00081b02985f@2cae2bcd62a0 0x91 0x1E 0x90 0xC9 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00081b02985f@8001842211a0 0x92 0x62 0x82 0x6D ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00081b02985f@18686a76f3ac 0x68 0x57 0x9B 0xFD ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00081b02985f@9cd35be16060 0xA8 0xDE 0xCE 0x42 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00081b02985f@0cd6bd651510 0x21 0xB2 0xCC 0xB4 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00081b02985f@e0db102504d0 0xA5 0x86 0x7D 0xB7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00081b02985f@dc0b3441e568 0x47 0x45 0x88 0x0C ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00081b02985f@389496db6367 0xB3 0x70 0x70 0x81 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00081b02985f@68ebae3b5661 0x82 0x40 0x5A 0xE9 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00081b02985f@800184a2d8ba 0x08 0x43 0x56 0xDB ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00081b02985f@accf859e582e 0x4B 0xCB 0xD8 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB3 0x98 0xD6 0x34 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00081b02985f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00081b02985f@2cae2bcd62a0 0x91 0x1E 0x90 0xC9 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00081b02985f@8001842211a0 0x92 0x62 0x82 0x6D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00081b02985f@18686a76f3ac 0x68 0x57 0x9B 0xFD ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00081b02985f@9cd35be16060 0xA8 0xDE 0xCE 0x42 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00081b02985f@0cd6bd651510 0x21 0xB2 0xCC 0xB4 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00081b02985f@e0db102504d0 0xA5 0x86 0x7D 0xB7 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00081b02985f@dc0b3441e568 0x47 0x45 0x88 0x0C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00081b02985f@389496db6367 0xB3 0x70 0x70 0x81 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00081b02985f@68ebae3b5661 0x82 0x40 0x5A 0xE9 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00081b02985f@800184a2d8ba 0x08 0x43 0x56 0xDB ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00081b02985f@accf859e582e 0x4B 0xCB 0xD8 0xA3 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB3 0x98 0xD6 0x34 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.2 ----