GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-27 01:15:46 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000027 ST500LM012_HN-M500MBB rev.2AR10002 465,76GB Running: tsggg7g3.exe; Driver: C:\Users\Krzysiek\AppData\Local\Temp\kwryipob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff9600010be00 7 bytes [C0, CB, 1C, 01, 00, 7B, 9B] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff9600010be08 7 bytes [01, 10, E4, FF, 00, 5F, E8] ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\System32\smss.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\System32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 6 000007fa02bf2c96 8 bytes [50, 04, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 6 000007fa02bf2ce6 8 bytes [40, 04, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 6 000007fa02bf2e46 8 bytes [60, 03, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 6 000007fa02bf2e96 8 bytes [60, 04, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 6 000007fa02bf2ea6 8 bytes [D0, 03, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 6 000007fa02bf2f56 8 bytes [10, 03, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 6 000007fa02bf2f86 8 bytes [A0, 03, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 6 000007fa02bf2fa6 8 bytes [80, 03, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 6 000007fa02bf2fe6 8 bytes [D0, 02, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 6 000007fa02bf3066 8 bytes [C0, 02, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 7 000007fa02bf3087 7 bytes [03, 8D, 00, 00, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 6 000007fa02bf30c6 8 bytes [B0, 03, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 6 000007fa02bf3116 8 bytes [E0, 03, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 6 000007fa02bf3287 8 bytes [20, 02, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 6 000007fa02bf3477 8 bytes [70, 04, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject + 6 000007fa02bf34a7 8 bytes [90, 03, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair + 6 000007fa02bf35b7 8 bytes [E0, 02, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 6 000007fa02bf35d7 8 bytes [40, 03, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 6 000007fa02bf3647 8 bytes [80, 02, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 6 000007fa02bf36d7 8 bytes [A0, 02, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 6 000007fa02bf36f7 8 bytes [C0, 03, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 6 000007fa02bf3707 8 bytes [20, 03, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 7 000007fa02bf37a8 7 bytes [04, 8D, 00, 00, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry + 6 000007fa02bf37d7 8 bytes [30, 02, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 6 000007fa02bf3ae7 8 bytes [D0, 01, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 6 000007fa02bf3ba7 8 bytes [40, 02, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 6 000007fa02bf3bd7 8 bytes [80, 04, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 6 000007fa02bf3be7 8 bytes [90, 04, 8D, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 6 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 7 000007fa02bf4448 7 bytes [02, 8D, 00, 00, 00, 00, 00] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\System32\spoolsv.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\system32\svchost.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\system32\wbem\wmiprvse.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\system32\SearchIndexer.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\system32\svchost.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\System32\svchost.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 6 000007fa02bf2c96 8 bytes [50, 04, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 6 000007fa02bf2ce6 8 bytes [40, 04, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 6 000007fa02bf2e46 8 bytes [60, 03, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 6 000007fa02bf2e96 8 bytes [60, 04, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 6 000007fa02bf2ea6 8 bytes [D0, 03, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 6 000007fa02bf2f56 8 bytes [10, 03, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 6 000007fa02bf2f86 8 bytes [A0, 03, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 6 000007fa02bf2fa6 8 bytes [80, 03, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 6 000007fa02bf2fe6 8 bytes [D0, 02, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 6 000007fa02bf3066 8 bytes [C0, 02, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 7 000007fa02bf3087 7 bytes [03, 1C, 00, 00, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 6 000007fa02bf30c6 8 bytes [B0, 03, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 6 000007fa02bf3116 8 bytes [E0, 03, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 6 000007fa02bf3287 8 bytes [20, 02, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 6 000007fa02bf3477 8 bytes [70, 04, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject + 6 000007fa02bf34a7 8 bytes [90, 03, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair + 6 000007fa02bf35b7 8 bytes [E0, 02, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 6 000007fa02bf35d7 8 bytes [40, 03, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 6 000007fa02bf3647 8 bytes [80, 02, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 6 000007fa02bf36d7 8 bytes [A0, 02, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 6 000007fa02bf36f7 8 bytes [C0, 03, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 6 000007fa02bf3707 8 bytes [20, 03, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 7 000007fa02bf37a8 7 bytes [04, 1C, 00, 00, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry + 6 000007fa02bf37d7 8 bytes [30, 02, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 6 000007fa02bf3ae7 8 bytes [D0, 01, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 6 000007fa02bf3ba7 8 bytes [40, 02, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 6 000007fa02bf3bd7 8 bytes [80, 04, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes [FF, 25, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 6 000007fa02bf3be7 8 bytes [90, 04, 1C, 00, 00, 00, 00, ...] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 6 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 7 000007fa02bf4448 7 bytes [02, 1C, 00, 00, 00, 00, 00] .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\SFK\SSFK.exe[9564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\system32\wbem\wmiprvse.exe[10224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\system32\csrss.exe[9244] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 .text C:\Windows\system32\atieclxx.exe[6048] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fa00f5177a 4 bytes [F5, 00, FA, 07] .text C:\Windows\system32\atieclxx.exe[6048] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fa00f51782 4 bytes [F5, 00, FA, 07] .text C:\Windows\system32\atieclxx.exe[6048] C:\Windows\system32\WSOCK32.dll!recvfrom + 742 000007f9fbb51b32 4 bytes [B5, FB, F9, 07] .text C:\Windows\system32\atieclxx.exe[6048] C:\Windows\system32\WSOCK32.dll!recvfrom + 750 000007f9fbb51b3a 4 bytes [B5, FB, F9, 07] .text C:\Windows\Explorer.EXE[7980] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fa00f5177a 4 bytes [F5, 00, FA, 07] .text C:\Windows\Explorer.EXE[7980] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fa00f51782 4 bytes [F5, 00, FA, 07] .text C:\Windows\Explorer.EXE[7980] C:\Windows\system32\MSIMG32.dll!GradientFill + 690 000007f9f4721532 4 bytes [72, F4, F9, 07] .text C:\Windows\Explorer.EXE[7980] C:\Windows\system32\MSIMG32.dll!GradientFill + 698 000007f9f472153a 4 bytes [72, F4, F9, 07] .text C:\Windows\Explorer.EXE[7980] C:\Windows\system32\MSIMG32.dll!TransparentBlt + 246 000007f9f472165a 4 bytes [72, F4, F9, 07] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[9116] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fa00f5177a 4 bytes [F5, 00, FA, 07] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[9116] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fa00f51782 4 bytes [F5, 00, FA, 07] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[6536] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fa00f5177a 4 bytes [F5, 00, FA, 07] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[6536] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fa00f51782 4 bytes [F5, 00, FA, 07] ? C:\Windows\SYSTEM32\BsHelpCSps.dll [7860] entry point in ".data" section 00000000032d5055 ? C:\Windows\SYSTEM32\BlueSoleilCSps.dll [7860] entry point in ".rdata" section 00000000042d4085 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fa02bf2c90 5 bytes JMP 000007fa82dc0450 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fa02bf2ce0 5 bytes JMP 000007fa82dc0440 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fa02bf2e40 5 bytes JMP 000007fa82dc0360 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fa02bf2e90 5 bytes JMP 000007fa82dc0460 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fa02bf2ea0 5 bytes JMP 000007fa82dc03d0 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fa02bf2f50 5 bytes JMP 000007fa82dc0310 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fa02bf2f80 5 bytes JMP 000007fa82dc03a0 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fa02bf2fa0 5 bytes JMP 000007fa82dc0380 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fa02bf2fe0 5 bytes JMP 000007fa82dc02d0 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fa02bf3060 5 bytes JMP 000007fa82dc02c0 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fa02bf3080 5 bytes JMP 000007fa82dc0300 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fa02bf30c0 5 bytes JMP 000007fa82dc03b0 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fa02bf3110 5 bytes JMP 000007fa82dc03e0 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fa02bf3281 5 bytes JMP 000007fa82dc0220 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fa02bf3471 5 bytes JMP 000007fa82dc0470 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fa02bf34a1 5 bytes JMP 000007fa82dc0390 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fa02bf35b1 5 bytes JMP 000007fa82dc02e0 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fa02bf35d1 5 bytes JMP 000007fa82dc0340 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fa02bf3641 5 bytes JMP 000007fa82dc0280 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fa02bf36d1 5 bytes JMP 000007fa82dc02a0 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fa02bf36f1 5 bytes JMP 000007fa82dc03c0 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fa02bf3701 5 bytes JMP 000007fa82dc0320 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fa02bf37a1 5 bytes JMP 000007fa82dc0400 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fa02bf37d1 5 bytes JMP 000007fa82dc0230 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fa02bf3ae1 5 bytes JMP 000007fa82dc01d0 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fa02bf3ba1 5 bytes JMP 000007fa82dc0240 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fa02bf3bd1 5 bytes JMP 000007fa82dc0480 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fa02bf3be1 5 bytes JMP 000007fa82dc0490 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fa02bf3c11 5 bytes JMP 000007fa82dc02f0 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fa02bf3c21 5 bytes JMP 000007fa82dc0350 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fa02bf3c81 5 bytes JMP 000007fa82dc0290 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fa02bf3cd1 5 bytes JMP 000007fa82dc02b0 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fa02bf3d01 5 bytes JMP 000007fa82dc0370 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fa02bf3d11 5 bytes JMP 000007fa82dc0330 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fa02bf4021 5 bytes JMP 000007fa82dc0430 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fa02bf4221 5 bytes JMP 000007fa82dc0250 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fa02bf4231 5 bytes JMP 000007fa82dc0260 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fa02bf4251 5 bytes JMP 000007fa82dc03f0 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fa02bf4431 5 bytes JMP 000007fa82dc01e0 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fa02bf4441 5 bytes JMP 000007fa82dc0200 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fa02bf44b1 5 bytes JMP 000007fa82dc01f0 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fa02bf4521 5 bytes JMP 000007fa82dc0410 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fa02bf4531 5 bytes JMP 000007fa82dc0420 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fa02bf4541 5 bytes JMP 000007fa82dc0210 .text C:\Windows\system32\DllHost.exe[11116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fa02bf4651 5 bytes JMP 000007fa82dc0270 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[7980] @ C:\Windows\Explorer.EXE[USER32.dll!EndPaint] [7f9fd2a1f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[7980] @ C:\Windows\Explorer.EXE[USER32.dll!DeferWindowPos] [7f9fd2a1da0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[7980] @ C:\Windows\Explorer.EXE[USER32.dll!SetWindowPos] [7f9fd2a1bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[7980] @ C:\Windows\Explorer.EXE[USER32.dll!MoveWindow] [7f9fd2a1a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[7980] @ C:\Windows\system32\SHELL32.dll[USER32.dll!DeferWindowPos] [7f9fd2a1da0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[7980] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowPos] [7f9fd2a1bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[7980] @ C:\Windows\system32\SHELL32.dll[USER32.dll!MoveWindow] [7f9fd2a1a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[7980] @ C:\Windows\system32\SHELL32.dll[USER32.dll!EndPaint] [7f9fd2a1f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[7980] @ C:\Windows\SYSTEM32\UxTheme.dll[USER32.dll!SetWindowPos] [7f9fd2a1bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[7980] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9200.16384_none_72771d4ecc1c3a4d\gdiplus.dll[USER32.dll!SetWindowPos] [7f9fd2a1bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[7980] @ C:\Windows\system32\IMM32.DLL[USER32.dll!EndPaint] [7f9fd2a1f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[7980] @ C:\Windows\system32\IMM32.DLL[USER32.dll!SetWindowPos] [7f9fd2a1bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[7980] @ C:\Windows\system32\MSCTF.dll[USER32.dll!MoveWindow] [7f9fd2a1a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[7980] @ C:\Windows\system32\MSCTF.dll[USER32.dll!EndPaint] [7f9fd2a1f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[7980] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWindowPos] [7f9fd2a1bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[7980] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16384_none_418c2a697189c07f\COMCTL32.dll[USER32.dll!DeferWindowPos] [7f9fd2a1da0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[7980] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16384_none_418c2a697189c07f\COMCTL32.dll[USER32.dll!EndPaint] [7f9fd2a1f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[7980] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16384_none_418c2a697189c07f\COMCTL32.dll[USER32.dll!MoveWindow] [7f9fd2a1a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[7980] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16384_none_418c2a697189c07f\COMCTL32.dll[USER32.dll!SetWindowPos] [7f9fd2a1bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll ---- Threads - GMER 2.1 ---- Thread [1768:1780] 0000000072d5f110 Thread [1768:1812] 00000000770a6f00 Thread [1768:1816] 000000007319f28e Thread [1768:1824] 00000000754a8064 Thread [1768:5140] 000000007319f28e Thread [1768:5048] 000000007319f28e Thread [1768:5780] 000000007319f28e Thread [1768:4384] 000000007319f28e Thread [1768:4672] 00000000723deb00 Thread [1768:1692] 00000000723ddd00 Thread [1768:116] 000000007319f28e Thread [1768:4360] 000000007319f28e Thread [1768:4664] 00000000715b91f0 Thread [1768:4480] 00000000723ba5b0 Thread [1768:5724] 00000000723ba5b0 Thread [1768:5644] 00000000723ba5b0 Thread [1768:5036] 00000000723ba5b0 Thread [1768:5764] 00000000723ba5b0 Thread [1768:4492] 00000000723ba5b0 Thread [1768:5688] 00000000723bb600 Thread [1768:5860] 00000000723bb600 Thread [1768:5744] 00000000723baae0 Thread [1768:5728] 000000007242bdb0 Thread [1768:5732] 000000007242ab70 Thread [1768:5244] 000000007242afb0 Thread [1768:3280] 00000000723bdb00 Thread [1768:5132] 00000000723bdb00 Thread [1768:4120] 00000000723bdb00 Thread [1768:2696] 00000000723bdb00 Thread [1768:6076] 00000000723bdb00 Thread [1768:5348] 00000000723bdb00 Thread [1768:3144] 00000000723bd7c0 Thread [1768:3756] 0000000071b61080 Thread [1768:3868] 0000000071581000 Thread [1768:2468] 0000000071541c60 Thread [1768:5360] 000000007319f28e Thread [1768:5344] 0000000071546d50 Thread [1768:4204] 0000000071546d50 Thread [1768:1564] 000000007319f28e Thread [1768:6008] 00000000723df860 Thread [1768:5988] 00000000723bcf70 Thread [1768:6044] 000000007319f28e Thread [1768:5880] 0000000074cd4f62 Thread [1768:1712] 0000000070b17419 Thread [1768:4576] 000000007250c3a0 Thread [1768:3060] 0000000072348d50 Thread [1768:5608] 0000000071b616d0 Thread [1768:720] 000000005c87ae20 Thread [1768:2532] 000000007319f28e Thread [1768:4640] 00000000728b12d0 Thread [1768:4980] 00000000728b43c0 Thread [1768:5508] 000000007319f28e Thread [1768:1880] 000000007319f28e Thread [1768:5116] 000000007319f28e Thread [1768:2352] 000000007319f28e Thread [1768:5604] 000000007319f28e Thread [1768:3460] 000000005c7673f0 Thread [1768:1612] 000000005c7673f0 Thread [1768:700] 000000005c7673f0 Thread [1768:4996] 000000005c7673f0 Thread [1768:6064] 000000007319f28e Thread [1768:4872] 000000005b480c4a Thread [1768:2392] 000000007319f28e Thread [1768:4240] 00000000731e4de8 Thread [1768:4440] 00000000731e4de8 Thread [1768:5000] 000000007319f28e Thread [1768:6700] 000000005b480c4a Thread [1768:2312] 00000000715b9080 Thread [1768:7772] 000000007319f28e Thread [1768:6288] 00000000715b9080 Thread [1768:7384] 00000000715b9080 Thread [1768:7580] 00000000715b9080 Thread [1768:5440] 00000000715b9080 Thread [1768:9640] 000000005c890820 Thread [1768:3396] 000000005c890820 Thread [1768:5492] 000000007319f28e Thread [1768:9440] 000000005e8cb5c0 Thread [1768:4336] 00000000770a6f00 Thread [1768:3156] 00000000770a6f00 Thread [1768:5932] 00000000770a6f00 Thread [1768:5484] 00000000770a6f00 Thread [1768:3848] 00000000715b9080 Thread [1768:11112] 00000000715b9080 Thread [1768:11028] 00000000770a6f00 Thread [1768:5368] 00000000770a6f00 Thread [1768:11252] 000000007319f28e Thread [1768:11228] 000000007319f28e Thread [1768:8224] 00000000712474e5 Thread [1768:8652] 00000000770a6f00 Thread [1768:9312] 000000007319f28e Thread [1768:4352] 00000000770a6f00 Thread C:\Windows\system32\csrss.exe [8068:7572] fffff96000230d90 Thread C:\Windows\system32\csrss.exe [740:8492] fffff96000230d90 Thread C:\Windows\system32\csrss.exe [9244:6080] fffff960009c85e8 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\JWMiniProJ\WMiniPro.exe (*** suspicious ***) @ C:\ProgramData\JWMiniProJ\WMiniPro.exe [2884] (DTools/DTools LIMITED)(2015-11-25 08:12:59) 00000000009d0000 Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [7980] (GG drive overlay/GG Network S.A.)(2014-12-09 18:24:02) 000000005c080000 Library C:\Users\Krzysiek\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [7980] (GG drive menu/GG Network S.A.)(2014-11-18 19:02:44) 000000005ff80000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----