GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-19 19:12:42 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500LM012_HN-M500MBB rev.2AR10002 465,76GB Running: hzbtvr5v.exe; Driver: C:\Users\Patryk\AppData\Local\Temp\kwrdipog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0xffffffff889d0490} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0xffffffff889cff90} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 0000000100120280 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0xffffffff889cf990} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0xffffffff889cfa90} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000001001201d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0xffffffff889cee90} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0xffffffff889cee90} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0xffffffff889ced90} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0xffffffff889ced90} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 0000000100120270 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\system32\wininit.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0xffffffff889d0490} .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0xffffffff889cff90} .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 0000000100120280 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0xffffffff889cf990} .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0xffffffff889cfa90} .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000001001201d0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0xffffffff889cee90} .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0xffffffff889cee90} .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0xffffffff889ced90} .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0xffffffff889ced90} .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 0000000100120270 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\system32\svchost.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\System32\hkcmd.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\System32\igfxpers.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1604] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000769fd03c 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1604] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000000f1401 2 bytes JMP 76a0eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1604] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000000f1419 2 bytes JMP 76a1b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000000f1431 2 bytes JMP 76a98609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000000f144a 2 bytes CALL 769f1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1604] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000000f14dd 2 bytes JMP 76a97efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1604] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000000f14f5 2 bytes JMP 76a980d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1604] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000000f150d 2 bytes JMP 76a97df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1604] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000000f1525 2 bytes JMP 76a981c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1604] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000000f153d 2 bytes JMP 76a0f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1604] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000000f1555 2 bytes JMP 76a1b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1604] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000000f156d 2 bytes JMP 76a986c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1604] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000000f1585 2 bytes JMP 76a98222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1604] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000000f159d 2 bytes JMP 76a97db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1604] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000000f15b5 2 bytes JMP 76a0f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1604] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000000f15cd 2 bytes JMP 76a1b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1604] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000000f16b2 2 bytes JMP 76a98584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1604] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000000f16bd 2 bytes JMP 76a97d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\system32\taskhost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0xffffffff88920490} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0xffffffff8891ff90} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0xffffffff8891f990} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0xffffffff8891fa90} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0xffffffff8891ee90} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0xffffffff8891ee90} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0xffffffff8891ed90} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0xffffffff8891ed90} .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 0000000100070270 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000031401 2 bytes JMP 76a0eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe[1892] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000031419 2 bytes JMP 76a1b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000031431 2 bytes JMP 76a98609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000003144a 2 bytes CALL 769f1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe[1892] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000000314dd 2 bytes JMP 76a97efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000000314f5 2 bytes JMP 76a980d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe[1892] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000003150d 2 bytes JMP 76a97df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000031525 2 bytes JMP 76a981c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000003153d 2 bytes JMP 76a0f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe[1892] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000031555 2 bytes JMP 76a1b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000003156d 2 bytes JMP 76a986c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000031585 2 bytes JMP 76a98222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe[1892] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000003159d 2 bytes JMP 76a97db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000000315b5 2 bytes JMP 76a0f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000000315cd 2 bytes JMP 76a1b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000000316b2 2 bytes JMP 76a98584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000000316bd 2 bytes JMP 76a97d4d C:\Windows\syswow64\kernel32.dll .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text c:\Program Files\Intel\iCLS Client\HeciServer.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\System32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 0000000100070450 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 0000000100070440 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0xffffffff88920490} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 0000000100070360 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 0000000100070460 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000001000703d0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 0000000100070310 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000001000703a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 0000000100070380 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000001000702d0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000001000702c0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0xffffffff8891ff90} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 0000000100070300 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000001000703b0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000001000703e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 0000000100070220 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 0000000100070470 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 0000000100070390 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000001000702e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 0000000100070340 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 0000000100070280 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000001000702a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0xffffffff8891f990} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000001000703c0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0xffffffff8891fa90} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 0000000100070320 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 0000000100070400 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 0000000100070230 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000001000701d0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 0000000100070240 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 0000000100070480 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 0000000100070490 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000001000702f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 0000000100070350 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 0000000100070290 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000001000702b0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 0000000100070370 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 0000000100070330 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 0000000100070430 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 0000000100070250 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0xffffffff8891ee90} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 0000000100070260 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0xffffffff8891ee90} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000001000703f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000001000701e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 0000000100070200 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000001000701f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 0000000100070410 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0xffffffff8891ed90} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 0000000100070420 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0xffffffff8891ed90} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 0000000100070210 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Windows\system32\wuauclt.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007774ff60 5 bytes JMP 00000000778b0450 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007774ffb0 1 byte JMP 00000000778b0440 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007774ffb2 3 bytes {JMP 0x160490} .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077750110 5 bytes JMP 00000000778b0360 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077750160 5 bytes JMP 00000000778b0460 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077750170 5 bytes JMP 00000000778b03d0 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077750220 5 bytes JMP 00000000778b0310 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077750250 5 bytes JMP 00000000778b03a0 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077750270 5 bytes JMP 00000000778b0380 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777502b0 5 bytes JMP 00000000778b02d0 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077750330 1 byte JMP 00000000778b02c0 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077750332 3 bytes {JMP 0x15ff90} .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077750350 5 bytes JMP 00000000778b0300 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077750390 5 bytes JMP 00000000778b03b0 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777503e0 5 bytes JMP 00000000778b03e0 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077750540 5 bytes JMP 00000000778b0220 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077750700 5 bytes JMP 00000000778b0470 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077750730 5 bytes JMP 00000000778b0390 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077750810 5 bytes JMP 00000000778b02e0 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077750820 5 bytes JMP 00000000778b0340 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077750880 5 bytes JMP 00000000778b0280 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077750910 1 byte JMP 00000000778b02a0 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077750912 3 bytes {JMP 0x15f990} .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077750930 1 byte JMP 00000000778b03c0 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077750932 3 bytes {JMP 0x15fa90} .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077750940 5 bytes JMP 00000000778b0320 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777509b0 5 bytes JMP 00000000778b0400 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777509e0 5 bytes JMP 00000000778b0230 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077750ca0 5 bytes JMP 00000000778b01d0 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077750d60 5 bytes JMP 00000000778b0240 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077750d90 5 bytes JMP 00000000778b0480 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077750da0 5 bytes JMP 00000000778b0490 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077750dd0 5 bytes JMP 00000000778b02f0 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077750de0 5 bytes JMP 00000000778b0350 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077750e40 5 bytes JMP 00000000778b0290 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077750e90 5 bytes JMP 00000000778b02b0 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077750ec0 5 bytes JMP 00000000778b0370 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077750ed0 5 bytes JMP 00000000778b0330 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777511c0 5 bytes JMP 00000000778b0430 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777513c0 1 byte JMP 00000000778b0250 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000777513c2 3 bytes {JMP 0x15ee90} .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777513d0 1 byte JMP 00000000778b0260 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000777513d2 3 bytes {JMP 0x15ee90} .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777513e0 5 bytes JMP 00000000778b03f0 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777515a0 5 bytes JMP 00000000778b01e0 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777515b0 5 bytes JMP 00000000778b0200 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077751620 5 bytes JMP 00000000778b01f0 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077751680 1 byte JMP 00000000778b0410 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077751682 3 bytes {JMP 0x15ed90} .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077751690 1 byte JMP 00000000778b0420 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077751692 3 bytes {JMP 0x15ed90} .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777516a0 5 bytes JMP 00000000778b0210 .text C:\Users\Patryk\Downloads\FRST64.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077751780 5 bytes JMP 00000000778b0270 ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4116:4248] 0000000076e07587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4116:4252] 000000006bfd758a Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4116:4424] 0000000077941c7f Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4116:3420] 0000000077942c91 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4116:3216] 0000000077942c91 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4116:2012] 0000000077942c91 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{34D81230-A7C6-4A22-B82F-D3D22CA819DD}\mpengine.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [1840] (Microsoft Malware Protection Engine/Microsoft Corporation)(2015-10-17 16:11:06) 000007fee3ed0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\a41731328ff4 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\a41731328ff4 (not active ControlSet) ---- EOF - GMER 2.1 ----