GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-17 23:40:01 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5001AALS-00L3B2 rev.01.03B01 465,76GB Running: 6hj2x9qc.exe; Driver: C:\Users\AGNIES~1\AppData\Local\Temp\kfrdqpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000149cc0460 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000149cc0450 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000149cc0370 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000149cc0470 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000149cc03e0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000149cc0320 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000149cc03b0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000149cc0390 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000149cc02e0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000149cc02d0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000149cc0310 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000149cc03c0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000149cc03f0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000149cc0230 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000149cc0480 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000149cc03a0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000149cc02f0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000149cc0350 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000149cc0290 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000149cc02b0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000149cc03d0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000149cc0330 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000149cc0410 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000149cc0240 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000149cc01e0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000149cc0250 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000149cc0490 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000149cc04a0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000149cc0300 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000149cc0360 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000149cc02a0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000149cc02c0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000149cc0380 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000149cc0340 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000149cc0440 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000149cc0260 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000149cc0270 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000149cc0400 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000149cc01f0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000149cc0210 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000149cc0200 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000149cc0420 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000149cc0430 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000149cc0220 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000149cc0280 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000149cc0460 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000149cc0450 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000149cc0370 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000149cc0470 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000149cc03e0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000149cc0320 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000149cc03b0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000149cc0390 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000149cc02e0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000149cc02d0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000149cc0310 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000149cc03c0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000149cc03f0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000149cc0230 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000149cc0480 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000149cc03a0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000149cc02f0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000149cc0350 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000149cc0290 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000149cc02b0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000149cc03d0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000149cc0330 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000149cc0410 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000149cc0240 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000149cc01e0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000149cc0250 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000149cc0490 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000149cc04a0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000149cc0300 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000149cc0360 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000149cc02a0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000149cc02c0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000149cc0380 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000149cc0340 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000149cc0440 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000149cc0260 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000149cc0270 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000149cc0400 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000149cc01f0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000149cc0210 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000149cc0200 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000149cc0420 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000149cc0430 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000149cc0220 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000149cc0280 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\system32\lsm.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\system32\svchost.exe[216] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\system32\AUDIODG.EXE[1192] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Program Files\360\360 Internet Security\deepscan\QHActiveDefense.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075f91401 2 bytes JMP 7730b1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\QHActiveDefense.exe[1356] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075f91419 2 bytes JMP 7730b31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\QHActiveDefense.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075f91431 2 bytes JMP 77388f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\QHActiveDefense.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075f9144a 2 bytes CALL 772e4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\360\360 Internet Security\deepscan\QHActiveDefense.exe[1356] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075f914dd 2 bytes JMP 77388802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\QHActiveDefense.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075f914f5 2 bytes JMP 773889d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\QHActiveDefense.exe[1356] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075f9150d 2 bytes JMP 773886f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\QHActiveDefense.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075f91525 2 bytes JMP 77388ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\QHActiveDefense.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075f9153d 2 bytes JMP 772ffc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\QHActiveDefense.exe[1356] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075f91555 2 bytes JMP 773068bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\QHActiveDefense.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075f9156d 2 bytes JMP 77388fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\QHActiveDefense.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075f91585 2 bytes JMP 77388b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\QHActiveDefense.exe[1356] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075f9159d 2 bytes JMP 773886bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\QHActiveDefense.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075f915b5 2 bytes JMP 772ffd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\QHActiveDefense.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075f915cd 2 bytes JMP 7730b2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\QHActiveDefense.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075f916b2 2 bytes JMP 77388e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\QHActiveDefense.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075f916bd 2 bytes JMP 77388651 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\System32\spoolsv.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\system32\taskhost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077a8faa4 5 bytes JMP 00000001717819b0 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a90034 5 bytes JMP 0000000171782066 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075f91401 2 bytes JMP 7730b1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1788] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075f91419 2 bytes JMP 7730b31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075f91431 2 bytes JMP 77388f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075f9144a 2 bytes CALL 772e4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1788] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075f914dd 2 bytes JMP 77388802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075f914f5 2 bytes JMP 773889d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1788] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075f9150d 2 bytes JMP 773886f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075f91525 2 bytes JMP 77388ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075f9153d 2 bytes JMP 772ffc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1788] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075f91555 2 bytes JMP 773068bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075f9156d 2 bytes JMP 77388fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075f91585 2 bytes JMP 77388b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1788] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075f9159d 2 bytes JMP 773886bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075f915b5 2 bytes JMP 772ffd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075f915cd 2 bytes JMP 7730b2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075f916b2 2 bytes JMP 77388e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075f916bd 2 bytes JMP 77388651 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000752f17fa 2 bytes CALL 772e11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 00000000752f1860 2 bytes CALL 772e11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 00000000752f1942 2 bytes JMP 757c7089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 00000000752f194d 2 bytes JMP 757ccba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075f91401 2 bytes JMP 7730b1ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075f91419 2 bytes JMP 7730b31a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075f91431 2 bytes JMP 77388f09 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075f9144a 2 bytes CALL 772e4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075f914dd 2 bytes JMP 77388802 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075f914f5 2 bytes JMP 773889d8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075f9150d 2 bytes JMP 773886f8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075f91525 2 bytes JMP 77388ac2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075f9153d 2 bytes JMP 772ffc78 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075f91555 2 bytes JMP 773068bf C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075f9156d 2 bytes JMP 77388fc1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075f91585 2 bytes JMP 77388b22 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075f9159d 2 bytes JMP 773886bc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075f915b5 2 bytes JMP 772ffd11 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075f915cd 2 bytes JMP 7730b2b0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075f916b2 2 bytes JMP 77388e84 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075f916bd 2 bytes JMP 77388651 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075f91401 2 bytes JMP 7730b1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[3068] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075f91419 2 bytes JMP 7730b31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075f91431 2 bytes JMP 77388f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075f9144a 2 bytes CALL 772e4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[3068] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075f914dd 2 bytes JMP 77388802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075f914f5 2 bytes JMP 773889d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[3068] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075f9150d 2 bytes JMP 773886f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075f91525 2 bytes JMP 77388ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075f9153d 2 bytes JMP 772ffc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[3068] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075f91555 2 bytes JMP 773068bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075f9156d 2 bytes JMP 77388fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075f91585 2 bytes JMP 77388b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[3068] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075f9159d 2 bytes JMP 773886bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075f915b5 2 bytes JMP 772ffd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075f915cd 2 bytes JMP 7730b2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075f916b2 2 bytes JMP 77388e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075f916bd 2 bytes JMP 77388651 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\system32\SearchIndexer.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Program Files\AVAST Software\Avast\avastui.exe[3704] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000772e8769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075f91401 2 bytes JMP 7730b1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3704] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075f91419 2 bytes JMP 7730b31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075f91431 2 bytes JMP 77388f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075f9144a 2 bytes CALL 772e4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\AVAST Software\Avast\avastui.exe[3704] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075f914dd 2 bytes JMP 77388802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075f914f5 2 bytes JMP 773889d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3704] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075f9150d 2 bytes JMP 773886f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075f91525 2 bytes JMP 77388ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075f9153d 2 bytes JMP 772ffc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3704] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075f91555 2 bytes JMP 773068bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075f9156d 2 bytes JMP 77388fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075f91585 2 bytes JMP 77388b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3704] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075f9159d 2 bytes JMP 773886bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075f915b5 2 bytes JMP 772ffd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075f915cd 2 bytes JMP 7730b2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075f916b2 2 bytes JMP 77388e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075f916bd 2 bytes JMP 77388651 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[4044] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000772e8769 5 bytes [33, C0, C2, 04, 00] .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\system32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000100070460 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000100070370 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000100070470 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000100070320 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000100070390 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000100070310 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000100070230 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000100070480 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000100070350 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000100070330 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000100070240 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000100070250 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000100070360 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000100070400 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000100070200 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000100070280 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778ddc80 5 bytes JMP 0000000077a40460 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778ddcd0 5 bytes JMP 0000000077a40450 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778dde30 5 bytes JMP 0000000077a40370 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778dde80 5 bytes JMP 0000000077a40470 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778dde90 5 bytes JMP 0000000077a403e0 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778ddf40 5 bytes JMP 0000000077a40320 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778ddf70 5 bytes JMP 0000000077a403b0 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778ddf90 5 bytes JMP 0000000077a40390 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778ddfd0 5 bytes JMP 0000000077a402e0 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778de050 5 bytes JMP 0000000077a402d0 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778de070 5 bytes JMP 0000000077a40310 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778de0b0 5 bytes JMP 0000000077a403c0 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778de100 5 bytes JMP 0000000077a403f0 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778de260 5 bytes JMP 0000000077a40230 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778de420 5 bytes JMP 0000000077a40480 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778de450 5 bytes JMP 0000000077a403a0 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778de530 5 bytes JMP 0000000077a402f0 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778de540 5 bytes JMP 0000000077a40350 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778de5a0 5 bytes JMP 0000000077a40290 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778de630 5 bytes JMP 0000000077a402b0 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778de650 5 bytes JMP 0000000077a403d0 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778de660 5 bytes JMP 0000000077a40330 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778de6d0 5 bytes JMP 0000000077a40410 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778de700 5 bytes JMP 0000000077a40240 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778de9c0 5 bytes JMP 0000000077a401e0 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778dea80 5 bytes JMP 0000000077a40250 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778deab0 5 bytes JMP 0000000077a40490 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778deac0 5 bytes JMP 0000000077a404a0 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778deaf0 5 bytes JMP 0000000077a40300 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778deb00 5 bytes JMP 0000000077a40360 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778deb60 5 bytes JMP 0000000077a402a0 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778debb0 5 bytes JMP 0000000077a402c0 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778debe0 5 bytes JMP 0000000077a40380 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778debf0 5 bytes JMP 0000000077a40340 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778deee0 5 bytes JMP 0000000077a40440 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778df0e0 5 bytes JMP 0000000077a40260 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778df0f0 5 bytes JMP 0000000077a40270 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778df100 5 bytes JMP 0000000077a40400 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778df2c0 5 bytes JMP 0000000077a401f0 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778df2d0 5 bytes JMP 0000000077a40210 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778df340 5 bytes JMP 0000000077a40200 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778df3a0 5 bytes JMP 0000000077a40420 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778df3b0 5 bytes JMP 0000000077a40430 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778df3c0 5 bytes JMP 0000000077a40220 .text C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\nacl64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778df4a0 5 bytes JMP 0000000077a40280 .text C:\Users\Agnieszka\Desktop\6hj2x9qc.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075f91401 2 bytes JMP 7730b1ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Agnieszka\Desktop\6hj2x9qc.exe[5484] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075f91419 2 bytes JMP 7730b31a C:\Windows\syswow64\kernel32.dll .text C:\Users\Agnieszka\Desktop\6hj2x9qc.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075f91431 2 bytes JMP 77388f09 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agnieszka\Desktop\6hj2x9qc.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075f9144a 2 bytes CALL 772e4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Agnieszka\Desktop\6hj2x9qc.exe[5484] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075f914dd 2 bytes JMP 77388802 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agnieszka\Desktop\6hj2x9qc.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075f914f5 2 bytes JMP 773889d8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agnieszka\Desktop\6hj2x9qc.exe[5484] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075f9150d 2 bytes JMP 773886f8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agnieszka\Desktop\6hj2x9qc.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075f91525 2 bytes JMP 77388ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agnieszka\Desktop\6hj2x9qc.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075f9153d 2 bytes JMP 772ffc78 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agnieszka\Desktop\6hj2x9qc.exe[5484] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075f91555 2 bytes JMP 773068bf C:\Windows\syswow64\kernel32.dll .text C:\Users\Agnieszka\Desktop\6hj2x9qc.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075f9156d 2 bytes JMP 77388fc1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agnieszka\Desktop\6hj2x9qc.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075f91585 2 bytes JMP 77388b22 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agnieszka\Desktop\6hj2x9qc.exe[5484] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075f9159d 2 bytes JMP 773886bc C:\Windows\syswow64\kernel32.dll .text C:\Users\Agnieszka\Desktop\6hj2x9qc.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075f915b5 2 bytes JMP 772ffd11 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agnieszka\Desktop\6hj2x9qc.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075f915cd 2 bytes JMP 7730b2b0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agnieszka\Desktop\6hj2x9qc.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075f916b2 2 bytes JMP 77388e84 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agnieszka\Desktop\6hj2x9qc.exe[5484] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075f916bd 2 bytes JMP 77388651 C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88004622ca4] \SystemRoot\system32\DRIVERS\360Box64.sys [.text] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\explorer.exe[6472] @ C:\Windows\explorer.exe[USER32.dll!FillRect] [7fef4f38ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\explorer.exe[USER32.dll!DrawTextW] [7fef4f38e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\SHELL32.dll[USER32.dll!DrawTextW] [7fef4f38e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\SHELL32.dll[USER32.dll!FillRect] [7fef4f38ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!DrawTextExW] [7fef4f38f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!FillRect] [7fef4f38ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!DrawTextW] [7fef4f38e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\DUser.dll[USER32.dll!DrawTextW] [7fef4f38e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\DUser.dll[USER32.dll!FillRect] [7fef4f38ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\DUI70.dll[USER32.dll!FillRect] [7fef4f38ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\DUI70.dll[USER32.dll!DrawTextW] [7fef4f38e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\IMM32.dll[USER32.dll!DrawTextExW] [7fef4f38f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\MSCTF.dll[USER32.dll!DrawTextExW] [7fef4f38f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\MSCTF.dll[USER32.dll!FillRect] [7fef4f38ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\UxTheme.dll[USER32.dll!DrawTextW] [7fef4f38e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\UxTheme.dll[USER32.dll!DrawTextExW] [7fef4f38f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\UxTheme.dll[USER32.dll!FillRect] [7fef4f38ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!DrawTextW] [7fef4f38e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!FillRect] [7fef4f38ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!DrawTextExW] [7fef4f38f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\msi.dll[USER32.dll!DrawTextW] [7fef4f38e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL[USER32.dll!FillRect] [7fef4f38ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL[USER32.dll!DrawTextW] [7fef4f38e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\ATL.DLL[USER32.dll!FillRect] [7fef4f38ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\System32\shdocvw.dll[USER32.dll!DrawTextExW] [7fef4f38f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\msutb.dll[USER32.dll!DrawTextExW] [7fef4f38f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\msutb.dll[USER32.dll!FillRect] [7fef4f38ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\System32\gameux.dll[USER32.dll!FillRect] [7fef4f38ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\MsftEdit.dll[USER32.dll!FillRect] [7fef4f38ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\authui.dll[USER32.dll!FillRect] [7fef4f38ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\CRYPTUI.dll[USER32.dll!FillRect] [7fef4f38ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\CRYPTUI.dll[USER32.dll!DrawTextExW] [7fef4f38f20] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\ntshrui.dll[USER32.dll!DrawTextW] [7fef4f38e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\urlmon.dll[USER32.dll!DrawTextW] [7fef4f38e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\COMDLG32.dll[USER32.dll!FillRect] [7fef4f38ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\COMDLG32.dll[USER32.dll!DrawTextW] [7fef4f38e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\dxp.dll[USER32.dll!FillRect] [7fef4f38ff0] c:\program files (x86)\stardock\fences\DesktopDock64.dll IAT C:\Windows\explorer.exe[6472] @ C:\Windows\system32\dxp.dll[USER32.dll!DrawTextW] [7fef4f38e60] c:\program files (x86)\stardock\fences\DesktopDock64.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [1092:1020] 000007fef6234f84 Thread C:\Windows\system32\svchost.exe [1092:888] 000007feec60d3c8 Thread C:\Windows\system32\svchost.exe [1092:2652] 000007feec60d3c8 Thread C:\Windows\system32\svchost.exe [1092:3216] 000007feec60d3c8 Thread C:\Windows\system32\svchost.exe [1092:1248] 000007feec60d3c8 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Kaspersky Lab\PURE13\Bases\Cache\klavemu.kdl.b6b6dd223ad2aad28374217a028b59b0 (*** suspicious ***) @ C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe [1788] (Heuristics engine/Kaspersky Lab ZAO)(2015-04-17 16:18:00) 0000000067410000 Library C:\ProgramData\Kaspersky Lab\PURE13\Bases\Cache\kjim.kdl.e30a2afa3b21fc3c867bdf51ac89005f (*** suspicious ***) @ C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe [1788] (Script Heuristics Engine/Kaspersky Lab ZAO)(2015-04-17 19:25:41) 0000000067190000 Library C:\ProgramData\Kaspersky Lab\PURE13\Bases\Cache\mark.kdl.6c69ef8fd152138b474ef4e5105233c9 (*** suspicious ***) @ C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe [1788] (Anti-Rootkit Engine/Kaspersky Lab ZAO)(2015-04-17 16:18:05) 0000000067130000 ---- EOF - GMER 2.1 ----