GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-22 12:36:39 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006b ST950032 rev.0002 465,76GB Running: nt6di3v8.exe; Driver: C:\Users\JOANNA\AppData\Local\Temp\fxldrpow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 0000000000040480 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 0000000000040470 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 0000000000040360 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 0000000000040490 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000000403d0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 0000000000040310 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000000403a0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 0000000000040380 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0xffffffff888b4490} .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000000402d0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000000402c0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 0000000000040300 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000000403b0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 0000000000040440 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000000403e0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 0000000000040220 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000000404a0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 0000000000040390 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000000402e0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 0000000000040340 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 0000000000040280 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000000402a0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000000403c0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 0000000000040320 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 0000000000040410 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 0000000000040230 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000000403f0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000000401d0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 0000000000040240 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000000404b0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000000404c0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000000402f0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 0000000000040350 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 0000000000040290 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000000402b0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 0000000000040370 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 0000000000040330 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 0000000000040460 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 0000000000040420 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 0000000000040250 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 0000000000040260 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 0000000000040400 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000000401e0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 0000000000040200 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000000401f0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 0000000000040430 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 0000000000040450 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 0000000000040210 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 0000000000040270 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 000000004a440480 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 000000004a440470 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 000000004a440360 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 000000004a440490 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 000000004a4403d0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 000000004a440310 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 000000004a4403a0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 000000004a440380 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0xffffffffd2cb4490} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 000000004a4402d0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 000000004a4402c0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 000000004a440300 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 000000004a4403b0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 000000004a440440 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 000000004a4403e0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 000000004a440220 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 000000004a4404a0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 000000004a440390 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 000000004a4402e0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 000000004a440340 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 000000004a440280 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 000000004a4402a0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 000000004a4403c0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 000000004a440320 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 000000004a440410 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 000000004a440230 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 000000004a4403f0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 000000004a4401d0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 000000004a440240 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 000000004a4404b0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 000000004a4404c0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 000000004a4402f0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 000000004a440350 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 000000004a440290 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 000000004a4402b0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 000000004a440370 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 000000004a440330 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 000000004a440460 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 000000004a440420 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 000000004a440250 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 000000004a440260 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 000000004a440400 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 000000004a4401e0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 000000004a440200 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 000000004a4401f0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 000000004a440430 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 000000004a440450 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 000000004a440210 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 000000004a440270 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 00000000778f0490 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000778f03d0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 00000000778f0380 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000778f04a0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 00000000778f0230 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000778f01d0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000778f04b0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000778f04c0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 00000000778f0330 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 00000000778f0250 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 00000000778f0450 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 00000000778f0490 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000778f03d0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 00000000778f0380 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000778f04a0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 00000000778f0230 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000778f01d0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000778f04b0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000778f04c0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 00000000778f0330 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 00000000778f0250 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 00000000778f0450 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 00000000778f0490 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000778f03d0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 00000000778f0380 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000778f04a0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 00000000778f0230 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000778f01d0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000778f04b0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000778f04c0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 00000000778f0330 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 00000000778f0250 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 00000000778f0450 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 00000000778f0490 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000778f03d0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 00000000778f0380 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000778f04a0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 00000000778f0230 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000778f01d0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000778f04b0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000778f04c0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 00000000778f0330 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 00000000778f0250 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 00000000778f0450 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 00000000778f0270 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 00000000778f0480 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 00000000778f0470 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000778f0360 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 00000000778f0490 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000778f03d0 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 00000000778f0310 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000778f03a0 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 00000000778f0380 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000778f02d0 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000778f02c0 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 00000000778f0300 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000778f03b0 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 00000000778f0440 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000778f03e0 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 00000000778f0220 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000778f04a0 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 00000000778f0390 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000778f02e0 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 00000000778f0340 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 00000000778f0280 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000778f02a0 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000778f03c0 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 00000000778f0320 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 00000000778f0410 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 00000000778f0230 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000778f03f0 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000778f01d0 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 00000000778f0240 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000778f04b0 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000778f04c0 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000778f02f0 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 00000000778f0350 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 00000000778f0290 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000778f02b0 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 00000000778f0370 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 00000000778f0330 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 00000000778f0460 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 00000000778f0420 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 00000000778f0250 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 00000000778f0260 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000778f0400 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000778f01e0 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 00000000778f0200 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000778f01f0 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 00000000778f0430 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 00000000778f0450 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 00000000778f0210 .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 00000000778f0270 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 00000000778f0480 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 00000000778f0470 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000778f0360 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 00000000778f0490 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000778f03d0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 00000000778f0310 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000778f03a0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 00000000778f0380 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000778f02d0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000778f02c0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 00000000778f0300 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000778f03b0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 00000000778f0440 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000778f03e0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 00000000778f0220 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000778f04a0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 00000000778f0390 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000778f02e0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 00000000778f0340 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 00000000778f0280 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000778f02a0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000778f03c0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 00000000778f0320 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 00000000778f0410 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 00000000778f0230 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000778f03f0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000778f01d0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 00000000778f0240 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000778f04b0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000778f04c0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000778f02f0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 00000000778f0350 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 00000000778f0290 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000778f02b0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 00000000778f0370 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 00000000778f0330 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 00000000778f0460 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 00000000778f0420 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 00000000778f0250 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 00000000778f0260 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000778f0400 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000778f01e0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 00000000778f0200 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000778f01f0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 00000000778f0430 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 00000000778f0450 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 00000000778f0210 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 00000000778f0490 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000778f03d0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 00000000778f0380 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000778f04a0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 00000000778f0230 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000778f01d0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000778f04b0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000778f04c0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 00000000778f0330 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 00000000778f0250 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 00000000778f0450 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0xffffffff888e4490} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 00000000778f0490 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000778f03d0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 00000000778f0380 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000778f04a0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 00000000778f0230 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000778f01d0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000778f04b0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000778f04c0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 00000000778f0330 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 00000000778f0250 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 00000000778f0450 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 00000000778f0490 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000778f03d0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 00000000778f0380 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000778f04a0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 00000000778f0230 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000778f01d0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000778f04b0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000778f04c0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 00000000778f0330 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 00000000778f0250 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 00000000778f0450 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 00000000778f0270 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 00000000778f0480 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 00000000778f0470 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000778f0360 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 00000000778f0490 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000778f03d0 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 00000000778f0310 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000778f03a0 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 00000000778f0380 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0x164490} .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000778f02d0 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000778f02c0 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 00000000778f0300 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000778f03b0 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 00000000778f0440 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000778f03e0 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 00000000778f0220 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000778f04a0 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 00000000778f0390 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000778f02e0 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 00000000778f0340 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 00000000778f0280 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000778f02a0 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000778f03c0 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 00000000778f0320 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 00000000778f0410 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 00000000778f0230 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000778f03f0 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000778f01d0 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 00000000778f0240 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000778f04b0 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000778f04c0 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000778f02f0 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 00000000778f0350 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 00000000778f0290 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000778f02b0 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 00000000778f0370 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 00000000778f0330 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 00000000778f0460 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 00000000778f0420 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 00000000778f0250 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 00000000778f0260 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000778f0400 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000778f01e0 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 00000000778f0200 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000778f01f0 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 00000000778f0430 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 00000000778f0450 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 00000000778f0210 .text C:\Windows\Explorer.EXE[1472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007778bda0 5 bytes JMP 00000000800a0ffa .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 00000000778f0490 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000778f03d0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007778be60 5 bytes JMP 0000000080080ffa .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 00000000778f0380 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007778c080 5 bytes JMP 0000000080060ffa .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007778c130 5 bytes JMP 0000000080020ffa .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000778f04a0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 00000000778f0230 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007778c6c0 5 bytes JMP 0000000080040ffa .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000778f01d0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000778f04b0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000778f04c0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 00000000778f0330 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 00000000778f0250 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 00000000778f0450 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dbf0 5 bytes JMP 00000000800c0ffa .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06d870 3 bytes JMP 000007feff2b0ffa .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 4 000007feff06d874 1 byte [00] .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff086d10 5 bytes JMP 000007feff290ffa .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff0924f8 5 bytes JMP 000007feff2d0ffa .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefeb42f60 5 bytes JMP 000007fefec20ffa .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\WS2_32.dll!connect 000007fefeb442f0 5 bytes JMP 000007fefebc0ffa .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\WS2_32.dll!listen 000007fefeb47f60 5 bytes JMP 000007fefec00ffa .text C:\Windows\system32\svchost.exe[1844] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefeb6e080 5 bytes JMP 000007fefebe0ffa .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000800c0ffa .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007778bda0 5 bytes JMP 00000000800a0ffa .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007778be60 5 bytes JMP 0000000080080ffa .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007778c080 5 bytes JMP 0000000080060ffa .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007778c130 5 bytes JMP 0000000080020ffa .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007778c6c0 5 bytes JMP 0000000080040ffa .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000800e0ffa .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 0000000080100ffa .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1108] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dbf0 5 bytes JMP 0000000080120ffa .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1108] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06d870 3 bytes JMP 000007feff2b0ffa .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1108] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 4 000007feff06d874 1 byte [00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1108] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff086d10 5 bytes JMP 000007feff290ffa .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1108] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff0924f8 5 bytes JMP 000007feff2d0ffa .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1108] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fefb147b34 5 bytes JMP 000007fefb1d0ffa .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1108] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fefb1503c0 5 bytes JMP 000007fefb1f0ffa .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007793fc30 5 bytes JMP 00000000717a0ffa .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007793fc48 5 bytes JMP 00000000717d0ffa .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007793fd74 5 bytes JMP 0000000071800ffa .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779400c4 5 bytes JMP 0000000071830ffa .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000779401d4 5 bytes JMP 0000000071890ffa .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077940a54 5 bytes JMP 0000000071860ffa .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077941930 5 bytes JMP 0000000071770ffa .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077941bf4 5 bytes JMP 0000000071740ffa .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076cb3be3 5 bytes JMP 0000000071250ffa .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076c52e0b 4 bytes CALL 71af0000 .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076811401 2 bytes JMP 76ccb263 C:\Windows\syswow64\kernel32.dll .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076811419 2 bytes JMP 76ccb38e C:\Windows\syswow64\kernel32.dll .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076811431 2 bytes JMP 76d490f1 C:\Windows\syswow64\kernel32.dll .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007681144a 2 bytes CALL 76ca48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768114dd 2 bytes JMP 76d489ea C:\Windows\syswow64\kernel32.dll .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768114f5 2 bytes JMP 76d48bc0 C:\Windows\syswow64\kernel32.dll .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007681150d 2 bytes JMP 76d488e0 C:\Windows\syswow64\kernel32.dll .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076811525 2 bytes JMP 76d48caa C:\Windows\syswow64\kernel32.dll .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007681153d 2 bytes JMP 76cbfce8 C:\Windows\syswow64\kernel32.dll .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076811555 2 bytes JMP 76cc6937 C:\Windows\syswow64\kernel32.dll .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007681156d 2 bytes JMP 76d491a9 C:\Windows\syswow64\kernel32.dll .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076811585 2 bytes JMP 76d48d0a C:\Windows\syswow64\kernel32.dll .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007681159d 2 bytes JMP 76d488a4 C:\Windows\syswow64\kernel32.dll .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768115b5 2 bytes JMP 76cbfd81 C:\Windows\syswow64\kernel32.dll .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768115cd 2 bytes JMP 76ccb324 C:\Windows\syswow64\kernel32.dll .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768116b2 2 bytes JMP 76d4906c C:\Windows\syswow64\kernel32.dll .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768116bd 2 bytes JMP 76d48839 C:\Windows\syswow64\kernel32.dll .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 00000000767c5822 5 bytes JMP 00000000719b0ffa .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\WS2_32.dll!connect 00000000767c68f5 5 bytes JMP 0000000071a40ffa .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000767cbcd5 5 bytes JMP 0000000071a10ffa .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\WS2_32.dll!listen 00000000767ce977 5 bytes JMP 00000000719e0ffa .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000755070a4 5 bytes JMP 0000000071950ffa .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075523414 5 bytes JMP 0000000071980ffa .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\ole32.dll!CoGetClassObject 000000007710546d 5 bytes JMP 00000000718c0ffa .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077119cbb 5 bytes JMP 0000000071920ffa .text D:\APP\AdFender\AdFender.exe[1324] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000077119cfe 5 bytes JMP 00000000718f0ffa .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000800c0ffa .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007778bda0 5 bytes JMP 00000000800a0ffa .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007778be60 5 bytes JMP 0000000080080ffa .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007778c080 5 bytes JMP 0000000080060ffa .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007778c130 5 bytes JMP 0000000080020ffa .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007778c6c0 5 bytes JMP 0000000080040ffa .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000800e0ffa .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 0000000080100ffa .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[1824] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dbf0 5 bytes JMP 0000000080120ffa .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[1824] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06d870 3 bytes JMP 000007feff2b0ffa .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[1824] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 4 000007feff06d874 1 byte [00] .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[1824] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff086d10 5 bytes JMP 000007feff290ffa .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[1824] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff0924f8 5 bytes JMP 000007feff2d0ffa .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007793fc30 5 bytes JMP 00000000717c0ffa .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007793fc48 5 bytes JMP 00000000717f0ffa .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007793fd74 5 bytes JMP 0000000071820ffa .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779400c4 5 bytes JMP 0000000071850ffa .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000779401d4 5 bytes JMP 00000000718b0ffa .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077940a54 5 bytes JMP 0000000071880ffa .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077941930 5 bytes JMP 0000000071790ffa .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077941bf4 5 bytes JMP 0000000071760ffa .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076ca8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076cb3be3 5 bytes JMP 0000000071730ffa .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076c52e0b 4 bytes CALL 71ab0000 .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000755070a4 5 bytes JMP 0000000071970ffa .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075523414 5 bytes JMP 00000000719a0ffa .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 00000000767c5822 5 bytes JMP 00000000719d0ffa .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\WS2_32.dll!connect 00000000767c68f5 5 bytes JMP 0000000071a60ffa .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000767cbcd5 5 bytes JMP 0000000071a30ffa .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\WS2_32.dll!listen 00000000767ce977 5 bytes JMP 0000000071a00ffa .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\ole32.dll!CoGetClassObject 000000007710546d 5 bytes JMP 00000000718e0ffa .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077119cbb 5 bytes JMP 0000000071940ffa .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000077119cfe 5 bytes JMP 0000000071910ffa .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076811401 2 bytes JMP 76ccb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076811419 2 bytes JMP 76ccb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076811431 2 bytes JMP 76d490f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007681144a 2 bytes CALL 76ca48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768114dd 2 bytes JMP 76d489ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768114f5 2 bytes JMP 76d48bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007681150d 2 bytes JMP 76d488e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076811525 2 bytes JMP 76d48caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007681153d 2 bytes JMP 76cbfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076811555 2 bytes JMP 76cc6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007681156d 2 bytes JMP 76d491a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076811585 2 bytes JMP 76d48d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007681159d 2 bytes JMP 76d488a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768115b5 2 bytes JMP 76cbfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768115cd 2 bytes JMP 76ccb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768116b2 2 bytes JMP 76d4906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768116bd 2 bytes JMP 76d48839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\System32\spoolsv.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000800c0ffa .text C:\Windows\System32\spoolsv.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007778bda0 5 bytes JMP 00000000800a0ffa .text C:\Windows\System32\spoolsv.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007778be60 5 bytes JMP 0000000080080ffa .text C:\Windows\System32\spoolsv.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007778c080 5 bytes JMP 0000000080060ffa .text C:\Windows\System32\spoolsv.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007778c130 5 bytes JMP 0000000080020ffa .text C:\Windows\System32\spoolsv.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007778c6c0 5 bytes JMP 0000000080040ffa .text C:\Windows\System32\spoolsv.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000800e0ffa .text C:\Windows\System32\spoolsv.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 0000000080100ffa .text C:\Windows\System32\spoolsv.exe[2200] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dbf0 5 bytes JMP 0000000080120ffa .text C:\Windows\System32\spoolsv.exe[2200] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06d870 3 bytes JMP 000007feff2b0ffa .text C:\Windows\System32\spoolsv.exe[2200] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 4 000007feff06d874 1 byte [00] .text C:\Windows\System32\spoolsv.exe[2200] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff086d10 5 bytes JMP 000007feff290ffa .text C:\Windows\System32\spoolsv.exe[2200] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff0924f8 5 bytes JMP 000007feff2d0ffa .text C:\Windows\System32\spoolsv.exe[2200] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefeb42f60 5 bytes JMP 000007fefec20ffa .text C:\Windows\System32\spoolsv.exe[2200] C:\Windows\system32\WS2_32.dll!connect 000007fefeb442f0 5 bytes JMP 000007fefebc0ffa .text C:\Windows\System32\spoolsv.exe[2200] C:\Windows\system32\WS2_32.dll!listen 000007fefeb47f60 5 bytes JMP 000007fefec00ffa .text C:\Windows\System32\spoolsv.exe[2200] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefeb6e080 5 bytes JMP 000007fefebe0ffa .text C:\Windows\System32\spoolsv.exe[2200] C:\Windows\system32\winspool.drv!AddPrintProvidorA 000007fefb147b34 5 bytes JMP 000007fefb1d0ffa .text C:\Windows\System32\spoolsv.exe[2200] C:\Windows\system32\winspool.drv!AddPrintProvidorW 000007fefb1503c0 5 bytes JMP 000007fefb1f0ffa .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000800c0ffa .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007778bda0 5 bytes JMP 00000000800a0ffa .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007778be60 5 bytes JMP 0000000080080ffa .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007778c080 5 bytes JMP 0000000080060ffa .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007778c130 5 bytes JMP 0000000080020ffa .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007778c6c0 5 bytes JMP 0000000080040ffa .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000800e0ffa .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 0000000080100ffa .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2300] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dbf0 5 bytes JMP 0000000080120ffa .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2300] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06d870 3 bytes JMP 000007feff2b0ffa .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2300] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 4 000007feff06d874 1 byte [00] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2300] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff086d10 5 bytes JMP 000007feff290ffa .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2300] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff0924f8 5 bytes JMP 000007feff2d0ffa .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2300] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fefb147b34 5 bytes JMP 000007fefb1d0ffa .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2300] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fefb1503c0 5 bytes JMP 000007fefb1f0ffa .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2300] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefeb42f60 5 bytes JMP 000007fefec20ffa .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2300] C:\Windows\system32\WS2_32.dll!connect 000007fefeb442f0 5 bytes JMP 000007fefebc0ffa .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2300] C:\Windows\system32\WS2_32.dll!listen 000007fefeb47f60 5 bytes JMP 000007fefec00ffa .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2300] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefeb6e080 5 bytes JMP 000007fefebe0ffa .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007778bda0 5 bytes JMP 00000000800a0ffa .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 00000000778f0490 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000778f03d0 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007778be60 5 bytes JMP 0000000080080ffa .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 00000000778f0380 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007778c080 5 bytes JMP 0000000080060ffa .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007778c130 5 bytes JMP 0000000080020ffa .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000778f04a0 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 00000000778f0230 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007778c6c0 5 bytes JMP 0000000080040ffa .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000778f01d0 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000778f04b0 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000778f04c0 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 00000000778f0330 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 00000000778f0250 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 00000000778f0450 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dbf0 5 bytes JMP 00000000800c0ffa .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefd8649b0 5 bytes JMP 000007fefe790ffa .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefd87a490 5 bytes JMP 000007fefe770ffa .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06d870 3 bytes JMP 000007feff2b0ffa .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 4 000007feff06d874 1 byte [00] .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff086d10 5 bytes JMP 000007feff290ffa .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff0924f8 5 bytes JMP 000007feff2d0ffa .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefeb42f60 5 bytes JMP 000007fefec20ffa .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\WS2_32.dll!connect 000007fefeb442f0 5 bytes JMP 000007fefebc0ffa .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\WS2_32.dll!listen 000007fefeb47f60 5 bytes JMP 000007fefec00ffa .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefeb6e080 5 bytes JMP 000007fefebe0ffa .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007778bda0 5 bytes JMP 00000000800a0ffa .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 00000000778f0490 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000778f03d0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007778be60 5 bytes JMP 0000000080080ffa .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 00000000778f0380 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007778c080 5 bytes JMP 0000000080060ffa .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007778c130 5 bytes JMP 0000000080020ffa .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000778f04a0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 00000000778f0230 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007778c6c0 5 bytes JMP 0000000080040ffa .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000778f01d0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000778f04b0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000778f04c0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 00000000778f0330 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 00000000778f0250 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 00000000778f0450 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dbf0 5 bytes JMP 00000000800c0ffa .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06d870 3 bytes JMP 000007feff2b0ffa .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 4 000007feff06d874 1 byte [00] .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff086d10 5 bytes JMP 000007feff290ffa .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff0924f8 5 bytes JMP 000007feff2d0ffa .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefd8649b0 5 bytes JMP 000007fefe790ffa .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefd87a490 5 bytes JMP 000007fefe770ffa .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3004] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007793fc30 5 bytes JMP 00000000718c0ffa .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3004] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007793fc48 5 bytes JMP 00000000718f0ffa .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3004] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007793fd74 5 bytes JMP 0000000071920ffa .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3004] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779400c4 5 bytes JMP 0000000071950ffa .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3004] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000779401d4 5 bytes JMP 00000000719b0ffa .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3004] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077940a54 5 bytes JMP 0000000071980ffa .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3004] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077941930 5 bytes JMP 0000000071890ffa .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3004] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077941bf4 5 bytes JMP 0000000071860ffa .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3004] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076cb3be3 5 bytes JMP 0000000071830ffa .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3004] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076c52e0b 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3004] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000755070a4 5 bytes JMP 0000000071a70ffa .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3004] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075523414 5 bytes JMP 0000000071aa0ffa .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3004] C:\Windows\syswow64\ole32.dll!CoGetClassObject 000000007710546d 5 bytes JMP 00000000719e0ffa .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3004] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077119cbb 5 bytes JMP 0000000071a40ffa .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3004] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000077119cfe 5 bytes JMP 0000000071a10ffa .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007778bda0 5 bytes JMP 00000000800a0ffa .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 00000000778f0490 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000778f03d0 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007778be60 5 bytes JMP 0000000080080ffa .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 00000000778f0380 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007778c080 5 bytes JMP 0000000080060ffa .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007778c130 5 bytes JMP 0000000080020ffa .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000778f04a0 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 00000000778f0230 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007778c6c0 5 bytes JMP 0000000080040ffa .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000778f01d0 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000778f04b0 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000778f04c0 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 00000000778f0330 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 00000000778f0250 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 00000000778f0450 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dbf0 5 bytes JMP 00000000800c0ffa .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06d870 3 bytes JMP 000007feff2b0ffa .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 4 000007feff06d874 1 byte [00] .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff086d10 5 bytes JMP 000007feff290ffa .text C:\Windows\system32\taskeng.exe[2156] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff0924f8 5 bytes JMP 000007feff2d0ffa .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 00000000778f0480 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 00000000778f0470 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000778f0360 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007778bda0 5 bytes JMP 00000000800a0ffa .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 00000000778f0490 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000778f03d0 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007778be60 5 bytes JMP 0000000080080ffa .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 00000000778f0310 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000778f03a0 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 00000000778f0380 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000778f02d0 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000778f02c0 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 00000000778f0300 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000778f03b0 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 00000000778f0440 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000778f03e0 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007778c080 5 bytes JMP 0000000080060ffa .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007778c130 5 bytes JMP 0000000080020ffa .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 00000000778f0220 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000778f04a0 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 00000000778f0390 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000778f02e0 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 00000000778f0340 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 00000000778f0280 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000778f02a0 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000778f03c0 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 00000000778f0320 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 00000000778f0410 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 00000000778f0230 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007778c6c0 5 bytes JMP 0000000080040ffa .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000778f03f0 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000778f01d0 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 00000000778f0240 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000778f04b0 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000778f04c0 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000778f02f0 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 00000000778f0350 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 00000000778f0290 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000778f02b0 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 00000000778f0370 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 00000000778f0330 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 00000000778f0460 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 00000000778f0420 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 00000000778f0250 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 00000000778f0260 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000778f0400 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000778f01e0 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 00000000778f0200 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000778f01f0 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 00000000778f0430 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 00000000778f0450 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 00000000778f0210 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 00000000778f0270 .text C:\Windows\System32\svchost.exe[2592] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dbf0 5 bytes JMP 00000000800c0ffa .text C:\Windows\System32\svchost.exe[2592] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefd8649b0 5 bytes JMP 000007fefe790ffa .text C:\Windows\System32\svchost.exe[2592] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefd87a490 5 bytes JMP 000007fefe770ffa .text C:\Windows\System32\svchost.exe[2592] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06d870 3 bytes JMP 000007feff2b0ffa .text C:\Windows\System32\svchost.exe[2592] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 4 000007feff06d874 1 byte [00] .text C:\Windows\System32\svchost.exe[2592] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff086d10 5 bytes JMP 000007feff290ffa .text C:\Windows\System32\svchost.exe[2592] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff0924f8 5 bytes JMP 000007feff2d0ffa .text C:\Windows\System32\svchost.exe[2592] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefeb42f60 5 bytes JMP 000007fefec20ffa .text C:\Windows\System32\svchost.exe[2592] C:\Windows\system32\WS2_32.dll!connect 000007fefeb442f0 5 bytes JMP 000007fefebc0ffa .text C:\Windows\System32\svchost.exe[2592] C:\Windows\system32\WS2_32.dll!listen 000007fefeb47f60 5 bytes JMP 000007fefec00ffa .text C:\Windows\System32\svchost.exe[2592] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefeb6e080 5 bytes JMP 000007fefebe0ffa .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007778bda0 5 bytes JMP 00000000800a0ffa .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 00000000778f0490 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000778f03d0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007778be60 5 bytes JMP 0000000080080ffa .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 00000000778f0380 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007778c080 5 bytes JMP 0000000080060ffa .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007778c130 5 bytes JMP 0000000080020ffa .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000778f04a0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 00000000778f0230 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007778c6c0 5 bytes JMP 0000000080040ffa .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000778f01d0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000778f04b0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000778f04c0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 00000000778f0330 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 00000000778f0250 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 00000000778f0450 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dbf0 5 bytes JMP 00000000800c0ffa .text C:\Windows\system32\svchost.exe[2896] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06d870 3 bytes JMP 000007feff2b0ffa .text C:\Windows\system32\svchost.exe[2896] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 4 000007feff06d874 1 byte [00] .text C:\Windows\system32\svchost.exe[2896] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff086d10 5 bytes JMP 000007feff290ffa .text C:\Windows\system32\svchost.exe[2896] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff0924f8 5 bytes JMP 000007feff2d0ffa .text C:\Windows\system32\svchost.exe[2896] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefeb42f60 5 bytes JMP 000007fefec20ffa .text C:\Windows\system32\svchost.exe[2896] C:\Windows\system32\WS2_32.dll!connect 000007fefeb442f0 5 bytes JMP 000007fefebc0ffa .text C:\Windows\system32\svchost.exe[2896] C:\Windows\system32\WS2_32.dll!listen 000007fefeb47f60 5 bytes JMP 000007fefec00ffa .text C:\Windows\system32\svchost.exe[2896] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefeb6e080 5 bytes JMP 000007fefebe0ffa .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007778bda0 5 bytes JMP 00000000800a0ffa .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 00000000778f0490 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000778f03d0 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007778be60 5 bytes JMP 0000000080080ffa .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 00000000778f0380 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007778c080 5 bytes JMP 0000000080060ffa .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007778c130 5 bytes JMP 0000000080020ffa .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000778f04a0 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 00000000778f0230 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007778c6c0 5 bytes JMP 0000000080040ffa .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000778f01d0 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000778f04b0 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000778f04c0 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 00000000778f0330 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 00000000778f0250 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 00000000778f0450 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\svchost.exe[3104] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dbf0 5 bytes JMP 00000000800c0ffa .text C:\Windows\system32\svchost.exe[3104] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06d870 3 bytes JMP 000007feff2b0ffa .text C:\Windows\system32\svchost.exe[3104] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 4 000007feff06d874 1 byte [00] .text C:\Windows\system32\svchost.exe[3104] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff086d10 5 bytes JMP 000007feff290ffa .text C:\Windows\system32\svchost.exe[3104] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff0924f8 5 bytes JMP 000007feff2d0ffa .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007793fc30 5 bytes JMP 00000000718c0ffa .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007793fc48 5 bytes JMP 00000000718f0ffa .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007793fd74 5 bytes JMP 0000000071920ffa .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779400c4 5 bytes JMP 0000000071950ffa .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000779401d4 5 bytes JMP 00000000719b0ffa .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077940a54 5 bytes JMP 0000000071980ffa .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077941930 5 bytes JMP 0000000071890ffa .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077941bf4 5 bytes JMP 0000000071860ffa .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[3208] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076cb3be3 5 bytes JMP 0000000071830ffa .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[3208] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076c52e0b 4 bytes CALL 71af0000 .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[3208] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000755070a4 5 bytes JMP 0000000071a70ffa .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[3208] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075523414 5 bytes JMP 0000000071aa0ffa .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[3208] C:\Windows\syswow64\ole32.dll!CoGetClassObject 000000007710546d 5 bytes JMP 00000000719e0ffa .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[3208] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077119cbb 5 bytes JMP 0000000071a40ffa .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[3208] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000077119cfe 5 bytes JMP 0000000071a10ffa .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000800c0ffa .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007778bda0 5 bytes JMP 00000000800a0ffa .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007778be60 5 bytes JMP 0000000080080ffa .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007778c080 5 bytes JMP 0000000080060ffa .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007778c130 5 bytes JMP 0000000080020ffa .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007778c6c0 5 bytes JMP 0000000080040ffa .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000800e0ffa .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 0000000080100ffa .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06d870 3 bytes JMP 000007feff2b0ffa .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 4 000007feff06d874 1 byte [00] .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff086d10 5 bytes JMP 000007feff290ffa .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff0924f8 5 bytes JMP 000007feff2d0ffa .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007778bda0 5 bytes JMP 00000000800a0ffa .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007778be60 5 bytes JMP 0000000080080ffa .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0xffffffff888e4490} .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007778c080 5 bytes JMP 0000000080060ffa .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007778c130 5 bytes JMP 0000000080020ffa .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007778c6c0 5 bytes JMP 0000000080040ffa .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dbf0 5 bytes JMP 00000000800c0ffa .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06d870 3 bytes JMP 000007feff2b0ffa .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 4 000007feff06d874 1 byte [00] .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff086d10 5 bytes JMP 000007feff290ffa .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff0924f8 5 bytes JMP 000007feff2d0ffa .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefeb42f60 5 bytes JMP 000007fefec20ffa .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\system32\WS2_32.dll!connect 000007fefeb442f0 5 bytes JMP 000007fefebc0ffa .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\system32\WS2_32.dll!listen 000007fefeb47f60 5 bytes JMP 000007fefec00ffa .text C:\Windows\system32\wbem\wmiprvse.exe[1932] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefeb6e080 5 bytes JMP 000007fefebe0ffa .text C:\Windows\system32\wbem\unsecapp.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000800c0ffa .text C:\Windows\system32\wbem\unsecapp.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007778bda0 5 bytes JMP 00000000800a0ffa .text C:\Windows\system32\wbem\unsecapp.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007778be60 5 bytes JMP 0000000080080ffa .text C:\Windows\system32\wbem\unsecapp.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007778c080 5 bytes JMP 0000000080060ffa .text C:\Windows\system32\wbem\unsecapp.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007778c130 5 bytes JMP 0000000080020ffa .text C:\Windows\system32\wbem\unsecapp.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007778c6c0 5 bytes JMP 0000000080040ffa .text C:\Windows\system32\wbem\unsecapp.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000800e0ffa .text C:\Windows\system32\wbem\unsecapp.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 0000000080100ffa .text C:\Windows\system32\wbem\unsecapp.exe[3060] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dbf0 5 bytes JMP 0000000080120ffa .text C:\Windows\system32\wbem\unsecapp.exe[3060] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06d870 3 bytes JMP 000007feff2b0ffa .text C:\Windows\system32\wbem\unsecapp.exe[3060] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 4 000007feff06d874 1 byte [00] .text C:\Windows\system32\wbem\unsecapp.exe[3060] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff086d10 5 bytes JMP 000007feff290ffa .text C:\Windows\system32\wbem\unsecapp.exe[3060] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff0924f8 5 bytes JMP 000007feff2d0ffa .text C:\Windows\system32\wbem\unsecapp.exe[3060] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefeb42f60 5 bytes JMP 000007fefec20ffa .text C:\Windows\system32\wbem\unsecapp.exe[3060] C:\Windows\system32\WS2_32.dll!connect 000007fefeb442f0 5 bytes JMP 000007fefebc0ffa .text C:\Windows\system32\wbem\unsecapp.exe[3060] C:\Windows\system32\WS2_32.dll!listen 000007fefeb47f60 5 bytes JMP 000007fefec00ffa .text C:\Windows\system32\wbem\unsecapp.exe[3060] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefeb6e080 5 bytes JMP 000007fefebe0ffa .text C:\Windows\system32\NOTEPAD.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000800c0ffa .text C:\Windows\system32\NOTEPAD.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007778bda0 5 bytes JMP 00000000800a0ffa .text C:\Windows\system32\NOTEPAD.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007778be60 5 bytes JMP 0000000080080ffa .text C:\Windows\system32\NOTEPAD.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007778c080 5 bytes JMP 0000000080060ffa .text C:\Windows\system32\NOTEPAD.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007778c130 5 bytes JMP 0000000080020ffa .text C:\Windows\system32\NOTEPAD.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007778c6c0 5 bytes JMP 0000000080040ffa .text C:\Windows\system32\NOTEPAD.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 5 bytes JMP 00000000800e0ffa .text C:\Windows\system32\NOTEPAD.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 5 bytes JMP 0000000080100ffa .text C:\Windows\system32\NOTEPAD.EXE[3436] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dbf0 5 bytes JMP 0000000080120ffa .text C:\Windows\system32\NOTEPAD.EXE[3436] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fefb147b34 5 bytes JMP 000007fefb1d0ffa .text C:\Windows\system32\NOTEPAD.EXE[3436] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fefb1503c0 5 bytes JMP 000007fefb1f0ffa .text C:\Windows\system32\NOTEPAD.EXE[3436] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06d870 3 bytes JMP 000007feff2b0ffa .text C:\Windows\system32\NOTEPAD.EXE[3436] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 4 000007feff06d874 1 byte [00] .text C:\Windows\system32\NOTEPAD.EXE[3436] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff086d10 5 bytes JMP 000007feff290ffa .text C:\Windows\system32\NOTEPAD.EXE[3436] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff0924f8 5 bytes JMP 000007feff2d0ffa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1048] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007793fc30 5 bytes JMP 00000000718c0ffa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1048] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007793fc48 5 bytes JMP 00000000718f0ffa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1048] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007793fd74 5 bytes JMP 0000000071920ffa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1048] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779400c4 5 bytes JMP 0000000071950ffa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1048] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000779401d4 5 bytes JMP 00000000719b0ffa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1048] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077940a54 5 bytes JMP 0000000071980ffa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1048] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077941930 5 bytes JMP 0000000071890ffa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1048] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077941bf4 5 bytes JMP 0000000071860ffa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1048] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076cb3be3 5 bytes JMP 0000000071830ffa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1048] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076c52e0b 4 bytes CALL 71af0000 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1048] C:\Windows\syswow64\ole32.dll!CoGetClassObject 000000007710546d 5 bytes JMP 00000000719e0ffa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1048] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077119cbb 5 bytes JMP 0000000071a40ffa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1048] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000077119cfe 5 bytes JMP 0000000071a10ffa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1048] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000755070a4 5 bytes JMP 0000000071a70ffa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1048] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075523414 5 bytes JMP 0000000071aa0ffa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1048] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 00000000767c5822 5 bytes JMP 0000000071770ffa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1048] C:\Windows\syswow64\WS2_32.dll!connect 00000000767c68f5 5 bytes JMP 0000000071800ffa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1048] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000767cbcd5 5 bytes JMP 00000000717d0ffa .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1048] C:\Windows\syswow64\WS2_32.dll!listen 00000000767ce977 5 bytes JMP 00000000717a0ffa .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007793fc30 5 bytes JMP 0000000071860ffa .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007793fc48 5 bytes JMP 0000000071890ffa .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 1 000000007793fc91 3 bytes [BC, 3A, 05] .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007793fc95 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007793fd74 5 bytes JMP 00000000718c0ffa .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 1 000000007793fe25 3 bytes [65, 39, 05] .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 5 000000007793fe29 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 1 000000007793ff35 3 bytes [F8, 39, 05] .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 5 000000007793ff39 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 1 000000007793ffb5 3 bytes [ED, 3A, 05] .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 5 000000007793ffb9 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 1 0000000077940015 3 bytes [96, 39, 05] .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 5 0000000077940019 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779400c4 5 bytes JMP 00000000718f0ffa .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000779401d4 5 bytes JMP 0000000071950ffa .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 1 00000000779408b5 3 bytes [C7, 39, 05] .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 5 00000000779408b9 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077940a54 5 bytes JMP 0000000071920ffa .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077940ee9 3 bytes [1E, 3B, 05] .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077940eed 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 1 00000000779415e5 3 bytes [29, 3A, 05] .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 5 00000000779415e9 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 1 0000000077941931 3 bytes [5A, 3A, 05] .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 5 0000000077941935 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 1 0000000077941bf5 3 bytes [80, 3B, 05] .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 5 0000000077941bf9 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077941c25 3 bytes [4F, 3B, 05] .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077941c29 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076cb3be3 5 bytes JMP 0000000071830ffa .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076c52e0b 4 bytes CALL 71af0000 .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\syswow64\USER32.dll!GetPropW + 126 0000000076e872ad 3 bytes [13, 3C, 05] .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\syswow64\USER32.dll!GetPropW + 130 0000000076e872b1 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000076e88bf0 3 bytes [44, 3C, 05] .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000076e88bf4 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000076e91296 3 bytes [E2, 3B, 05] .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 0000000076e9129a 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\syswow64\USER32.dll!SendInput + 1 0000000076eaff6b 3 bytes [75, 3C, 05] .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\syswow64\USER32.dll!SendInput + 5 0000000076eaff6f 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000755070a4 5 bytes JMP 0000000071a10ffa .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075523414 5 bytes JMP 0000000071a40ffa .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\syswow64\ole32.dll!CoGetClassObject 000000007710546d 5 bytes JMP 0000000071980ffa .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077119cbb 5 bytes JMP 00000000719e0ffa .text C:\Windows\SysWOW64\cmd.exe[4140] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000077119cfe 5 bytes JMP 00000000719b0ffa .text C:\Windows\system32\conhost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007778bc00 10 bytes {MOV EAX, 0x334ca; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000800c0ffa .text C:\Windows\system32\conhost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007778bda0 5 bytes JMP 00000000800a0ffa .text C:\Windows\system32\conhost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007778bdd0 10 bytes {MOV EAX, 0x334f6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007778be60 5 bytes JMP 0000000080080ffa .text C:\Windows\system32\conhost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 10 bytes {MOV EAX, 0x3331f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007778bf80 10 bytes {MOV EAX, 0x33406; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 10 bytes {MOV EAX, 0x33522; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 10 bytes {MOV EAX, 0x3336b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007778c080 5 bytes JMP 0000000080060ffa .text C:\Windows\system32\conhost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007778c130 5 bytes JMP 0000000080020ffa .text C:\Windows\system32\conhost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 10 bytes {MOV EAX, 0x333b7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007778c6c0 5 bytes JMP 0000000080040ffa .text C:\Windows\system32\conhost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007778c9b0 10 bytes {MOV EAX, 0x3356e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 10 bytes {MOV EAX, 0x33452; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 10 bytes {MOV EAX, 0x3349e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 10 bytes {MOV EAX, 0x335c6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 000000007778d240 10 bytes {MOV EAX, 0x3359a; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[4384] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dbf0 5 bytes JMP 00000000800e0ffa .text C:\Windows\system32\conhost.exe[4384] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06d870 3 bytes JMP 000007feff2b0ffa .text C:\Windows\system32\conhost.exe[4384] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 4 000007feff06d874 1 byte [00] .text C:\Windows\system32\conhost.exe[4384] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff086d10 5 bytes JMP 000007feff290ffa .text C:\Windows\system32\conhost.exe[4384] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff0924f8 5 bytes JMP 000007feff2d0ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007793fc30 5 bytes JMP 0000000071860ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007793fc48 5 bytes JMP 0000000071890ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 1 000000007793fc91 3 bytes [BC, 3A, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007793fc95 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007793fd74 5 bytes JMP 00000000718c0ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 1 000000007793fe25 3 bytes [65, 39, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 5 000000007793fe29 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 1 000000007793ff35 3 bytes [F8, 39, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 5 000000007793ff39 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 1 000000007793ffb5 3 bytes [ED, 3A, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 5 000000007793ffb9 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 1 0000000077940015 3 bytes [96, 39, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 5 0000000077940019 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779400c4 5 bytes JMP 00000000718f0ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000779401d4 5 bytes JMP 0000000071950ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 1 00000000779408b5 3 bytes [C7, 39, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 5 00000000779408b9 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077940a54 5 bytes JMP 0000000071920ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077940ee9 3 bytes [1E, 3B, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077940eed 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 1 00000000779415e5 3 bytes [29, 3A, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 5 00000000779415e9 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 1 0000000077941931 3 bytes [5A, 3A, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 5 0000000077941935 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 1 0000000077941bf5 3 bytes [80, 3B, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 5 0000000077941bf9 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077941c25 3 bytes [4F, 3B, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077941c29 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076cb3be3 5 bytes JMP 0000000071830ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076c52e0b 4 bytes CALL 71af0000 .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000755070a4 5 bytes JMP 0000000071a10ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075523414 5 bytes JMP 0000000071a40ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\syswow64\USER32.dll!GetPropW + 126 0000000076e872ad 3 bytes [13, 3C, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\syswow64\USER32.dll!GetPropW + 130 0000000076e872b1 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000076e88bf0 3 bytes [44, 3C, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000076e88bf4 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000076e91296 3 bytes [E2, 3B, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 0000000076e9129a 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\syswow64\USER32.dll!SendInput + 1 0000000076eaff6b 3 bytes [75, 3C, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\syswow64\USER32.dll!SendInput + 5 0000000076eaff6f 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\syswow64\ole32.dll!CoGetClassObject 000000007710546d 5 bytes JMP 0000000071980ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077119cbb 5 bytes JMP 00000000719e0ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4288] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000077119cfe 5 bytes JMP 00000000719b0ffa .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007793fc30 5 bytes JMP 0000000071860ffa .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007793fc48 5 bytes JMP 0000000071890ffa .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 1 000000007793fc91 3 bytes [BC, 3A, 05] .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007793fc95 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007793fd74 5 bytes JMP 00000000718c0ffa .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 1 000000007793fe25 3 bytes [65, 39, 05] .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 5 000000007793fe29 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 1 000000007793ff35 3 bytes [F8, 39, 05] .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 5 000000007793ff39 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 1 000000007793ffb5 3 bytes [ED, 3A, 05] .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 5 000000007793ffb9 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 1 0000000077940015 3 bytes [96, 39, 05] .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 5 0000000077940019 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779400c4 5 bytes JMP 00000000718f0ffa .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000779401d4 5 bytes JMP 0000000071950ffa .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 1 00000000779408b5 3 bytes [C7, 39, 05] .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 5 00000000779408b9 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077940a54 5 bytes JMP 0000000071920ffa .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077940ee9 3 bytes [1E, 3B, 05] .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077940eed 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 1 00000000779415e5 3 bytes [29, 3A, 05] .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 5 00000000779415e9 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 1 0000000077941931 3 bytes [5A, 3A, 05] .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 5 0000000077941935 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 1 0000000077941bf5 3 bytes [80, 3B, 05] .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 5 0000000077941bf9 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077941c25 3 bytes [4F, 3B, 05] .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077941c29 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076cb3be3 5 bytes JMP 0000000071830ffa .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076c52e0b 4 bytes CALL 71af0000 .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\syswow64\USER32.dll!GetPropW + 126 0000000076e872ad 3 bytes [13, 3C, 05] .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\syswow64\USER32.dll!GetPropW + 130 0000000076e872b1 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000076e88bf0 3 bytes [44, 3C, 05] .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000076e88bf4 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000076e91296 3 bytes [E2, 3B, 05] .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 0000000076e9129a 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\syswow64\USER32.dll!SendInput + 1 0000000076eaff6b 3 bytes [75, 3C, 05] .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\syswow64\USER32.dll!SendInput + 5 0000000076eaff6f 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000755070a4 5 bytes JMP 0000000071a10ffa .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075523414 5 bytes JMP 0000000071a40ffa .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\syswow64\ole32.dll!CoGetClassObject 000000007710546d 5 bytes JMP 0000000071980ffa .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077119cbb 5 bytes JMP 00000000719e0ffa .text C:\Windows\SysWOW64\cmd.exe[2424] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000077119cfe 5 bytes JMP 00000000719b0ffa .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007778bc00 10 bytes {MOV EAX, 0x334ca; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000800c0ffa .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007778bda0 5 bytes JMP 00000000800a0ffa .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007778bdd0 10 bytes {MOV EAX, 0x334f6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007778be60 5 bytes JMP 0000000080080ffa .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 10 bytes {MOV EAX, 0x3331f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007778bf80 10 bytes {MOV EAX, 0x33406; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 10 bytes {MOV EAX, 0x33522; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 10 bytes {MOV EAX, 0x3336b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007778c080 5 bytes JMP 0000000080060ffa .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007778c130 5 bytes JMP 0000000080020ffa .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 10 bytes {MOV EAX, 0x333b7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007778c6c0 5 bytes JMP 0000000080040ffa .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007778c9b0 10 bytes {MOV EAX, 0x3356e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 10 bytes {MOV EAX, 0x33452; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 10 bytes {MOV EAX, 0x3349e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 10 bytes {MOV EAX, 0x335c6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 000000007778d240 10 bytes {MOV EAX, 0x3359a; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\conhost.exe[3672] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dbf0 5 bytes JMP 00000000800e0ffa .text C:\Windows\system32\conhost.exe[3672] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06d870 3 bytes JMP 000007feff2b0ffa .text C:\Windows\system32\conhost.exe[3672] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 4 000007feff06d874 1 byte [00] .text C:\Windows\system32\conhost.exe[3672] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff086d10 5 bytes JMP 000007feff290ffa .text C:\Windows\system32\conhost.exe[3672] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff0924f8 5 bytes JMP 000007feff2d0ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007793fc30 5 bytes JMP 0000000071860ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007793fc48 5 bytes JMP 0000000071890ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 1 000000007793fc91 3 bytes [BC, 3A, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007793fc95 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007793fd74 5 bytes JMP 00000000718c0ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 1 000000007793fe25 3 bytes [65, 39, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 5 000000007793fe29 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 1 000000007793ff35 3 bytes [F8, 39, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 5 000000007793ff39 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 1 000000007793ffb5 3 bytes [ED, 3A, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 5 000000007793ffb9 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 1 0000000077940015 3 bytes [96, 39, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 5 0000000077940019 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779400c4 5 bytes JMP 00000000718f0ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000779401d4 5 bytes JMP 0000000071950ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 1 00000000779408b5 3 bytes [C7, 39, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 5 00000000779408b9 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077940a54 5 bytes JMP 0000000071920ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077940ee9 3 bytes [1E, 3B, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077940eed 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 1 00000000779415e5 3 bytes [29, 3A, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 5 00000000779415e9 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 1 0000000077941931 3 bytes [5A, 3A, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 5 0000000077941935 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 1 0000000077941bf5 3 bytes [80, 3B, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 5 0000000077941bf9 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077941c25 3 bytes [4F, 3B, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077941c29 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076cb3be3 5 bytes JMP 0000000071830ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076c52e0b 4 bytes CALL 71af0000 .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000755070a4 5 bytes JMP 0000000071a10ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075523414 5 bytes JMP 0000000071a40ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\syswow64\USER32.dll!GetPropW + 126 0000000076e872ad 3 bytes [13, 3C, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\syswow64\USER32.dll!GetPropW + 130 0000000076e872b1 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000076e88bf0 3 bytes [44, 3C, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000076e88bf4 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000076e91296 3 bytes [E2, 3B, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 0000000076e9129a 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\syswow64\USER32.dll!SendInput + 1 0000000076eaff6b 3 bytes [75, 3C, 0A] .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\syswow64\USER32.dll!SendInput + 5 0000000076eaff6f 2 bytes {JMP RAX} .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\syswow64\ole32.dll!CoGetClassObject 000000007710546d 5 bytes JMP 0000000071980ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077119cbb 5 bytes JMP 00000000719e0ffa .text C:\Program Files\AVAST Software\Avast\AvastNM.exe[4352] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000077119cfe 5 bytes JMP 00000000719b0ffa .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007778bc00 10 bytes {MOV EAX, 0xb34ca; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000800c0ffa .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007778bda0 5 bytes JMP 00000000800a0ffa .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007778bdd0 10 bytes {MOV EAX, 0xb34f6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007778be60 5 bytes JMP 0000000080080ffa .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 10 bytes {MOV EAX, 0xb331f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007778bf80 10 bytes {MOV EAX, 0xb3406; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 10 bytes {MOV EAX, 0xb3522; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 10 bytes {MOV EAX, 0xb336b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007778c080 5 bytes JMP 0000000080060ffa .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007778c130 5 bytes JMP 0000000080020ffa .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 10 bytes {MOV EAX, 0xb33b7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007778c6c0 5 bytes JMP 0000000080040ffa .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007778c9b0 10 bytes {MOV EAX, 0xb356e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 10 bytes {MOV EAX, 0xb3452; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 10 bytes {MOV EAX, 0xb349e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 10 bytes {MOV EAX, 0xb35c6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 000000007778d240 10 bytes {MOV EAX, 0xb359a; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dbf0 5 bytes JMP 00000000800e0ffa .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06d870 3 bytes JMP 000007feff2b0ffa .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 4 000007feff06d874 1 byte [00] .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff086d10 5 bytes JMP 000007feff290ffa .text C:\Windows\system32\prevhost.exe[2892] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff0924f8 5 bytes JMP 000007feff2d0ffa .text C:\Windows\system32\AUDIODG.EXE[4656] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007778bc00 10 bytes {MOV EAX, 0x334ca; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4656] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007778bdd0 10 bytes {MOV EAX, 0x334f6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 10 bytes {MOV EAX, 0x3331f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007778bf80 10 bytes {MOV EAX, 0x33406; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 10 bytes {MOV EAX, 0x33522; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 10 bytes {MOV EAX, 0x3336b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 10 bytes {MOV EAX, 0x333b7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4656] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007778c9b0 10 bytes {MOV EAX, 0x3356e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 10 bytes {MOV EAX, 0x33452; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 10 bytes {MOV EAX, 0x3349e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 10 bytes {MOV EAX, 0x335c6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 000000007778d240 10 bytes {MOV EAX, 0x3359a; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007778bbe0 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007778bc00 10 bytes {MOV EAX, 0x334ca; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007778bc30 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007778bd90 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007778bda0 5 bytes JMP 00000000800a0ffa .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007778bdd0 10 bytes {MOV EAX, 0x334f6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007778bde0 5 bytes JMP 00000000778f0490 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007778bdf0 5 bytes JMP 00000000778f03d0 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007778be60 5 bytes JMP 0000000080080ffa .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007778bea0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007778bed0 10 bytes JMP 00000000778f03a0 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007778bef0 1 byte JMP 00000000778f0380 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007778bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007778bf30 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007778bf80 10 bytes {MOV EAX, 0x33406; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007778bfb0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007778bfd0 10 bytes JMP 00000000778f0300 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007778c010 10 bytes JMP 00000000778f03b0 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007778c050 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007778c060 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007778c080 5 bytes JMP 0000000080060ffa .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007778c130 5 bytes JMP 0000000080020ffa .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007778c1c0 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007778c380 5 bytes JMP 00000000778f04a0 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007778c3b0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007778c490 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007778c4a0 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007778c500 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007778c590 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007778c5b0 10 bytes JMP 00000000778f03c0 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007778c5c0 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007778c630 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007778c660 5 bytes JMP 00000000778f0230 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007778c6c0 5 bytes JMP 0000000080040ffa .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007778c800 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007778c920 5 bytes JMP 00000000778f01d0 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007778c9b0 10 bytes {MOV EAX, 0x3356e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007778c9e0 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007778ca10 5 bytes JMP 00000000778f04b0 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007778ca20 5 bytes JMP 00000000778f04c0 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007778ca50 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007778ca60 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007778cac0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007778cb10 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007778cb40 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007778cb50 5 bytes JMP 00000000778f0330 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007778ce40 10 bytes JMP 00000000778f0460 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007778cfa0 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007778d040 5 bytes JMP 00000000778f0250 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007778d050 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007778d060 10 bytes JMP 00000000778f0400 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007778d220 10 bytes JMP 00000000778f01e0 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007778d230 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 000000007778d240 10 bytes {MOV EAX, 0x3359a; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007778d2a0 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007778d300 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007778d310 5 bytes JMP 00000000778f0450 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007778d320 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007778d400 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007753dbf0 5 bytes JMP 00000000800c0ffa .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff06d870 3 bytes JMP 000007feff2b0ffa .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 4 000007feff06d874 1 byte [00] .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff086d10 5 bytes JMP 000007feff290ffa .text C:\Windows\system32\taskeng.exe[3288] C:\Windows\system32\ole32.dll!CoGetClassObject 000007feff0924f8 5 bytes JMP 000007feff2d0ffa .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007793fc30 5 bytes JMP 00000000718c0ffa .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007793fc48 5 bytes JMP 00000000718f0ffa .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 1 000000007793fc91 3 bytes [BC, 3A, 19] .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007793fc95 2 bytes {JMP RAX} .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007793fd74 5 bytes JMP 0000000071920ffa .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 1 000000007793fe25 3 bytes [65, 39, 19] .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 5 000000007793fe29 2 bytes {JMP RAX} .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 1 000000007793ff35 3 bytes [F8, 39, 19] .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 5 000000007793ff39 2 bytes {JMP RAX} .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 1 000000007793ffb5 3 bytes [ED, 3A, 19] .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 5 000000007793ffb9 2 bytes {JMP RAX} .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 1 0000000077940015 3 bytes [96, 39, 19] .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 5 0000000077940019 2 bytes {JMP RAX} .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779400c4 5 bytes JMP 0000000071950ffa .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000779401d4 5 bytes JMP 00000000719b0ffa .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 1 00000000779408b5 3 bytes [C7, 39, 19] .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 5 00000000779408b9 2 bytes {JMP RAX} .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077940a54 5 bytes JMP 0000000071980ffa .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077940ee9 3 bytes [1E, 3B, 19] .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077940eed 2 bytes {JMP RAX} .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 1 00000000779415e5 3 bytes [29, 3A, 19] .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 5 00000000779415e9 2 bytes {JMP RAX} .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 1 0000000077941931 3 bytes [5A, 3A, 19] .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 5 0000000077941935 2 bytes {JMP RAX} .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 1 0000000077941bf5 3 bytes [80, 3B, 19] .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 5 0000000077941bf9 2 bytes {JMP RAX} .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077941c25 3 bytes [4F, 3B, 19] .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077941c29 2 bytes {JMP RAX} .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076cb3be3 5 bytes JMP 0000000071890ffa .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076c52e0b 4 bytes CALL 71af0000 .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\syswow64\USER32.dll!GetPropW + 126 0000000076e872ad 3 bytes [13, 3C, 19] .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\syswow64\USER32.dll!GetPropW + 130 0000000076e872b1 2 bytes {JMP RAX} .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000076e88bf0 3 bytes [44, 3C, 19] .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000076e88bf4 2 bytes {JMP RAX} .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000076e91296 3 bytes [E2, 3B, 19] .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 0000000076e9129a 2 bytes {JMP RAX} .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\syswow64\USER32.dll!SendInput + 1 0000000076eaff6b 3 bytes [75, 3C, 19] .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\syswow64\USER32.dll!SendInput + 5 0000000076eaff6f 2 bytes {JMP RAX} .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000755070a4 5 bytes JMP 0000000071a70ffa .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075523414 5 bytes JMP 0000000071aa0ffa .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\syswow64\ole32.dll!CoGetClassObject 000000007710546d 5 bytes JMP 00000000719e0ffa .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077119cbb 5 bytes JMP 0000000071a40ffa .text D:\APP\GMER\nt6di3v8.exe[4624] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000077119cfe 5 bytes JMP 0000000071a10ffa ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ?????&???????????x??????????????????? ???????????????????????????????????????f??? ?????????????????????0??L????????? ??????V_0??????????????????? ??? ?????????????????????0????????????&???????????????????????? ?????????????????????0????????????????????????????????????????????? ???????5?????????????0????????????????????? ???????????????????.?0????????????????????????????usbstor.inf:Generic.NTamd64:USBSTOR_BULK:6.1.7601.19144:usb\class_08&subclass_06&prot_50?????????????2??37???????????????&?????????????4???????????????????? ???????? ???????????????????????????v??????????????????????????????usbstor.inf_amd64_neutral_1eb5ea4d83600226?301??lvupdtio?4??? ???????????????????j?0????????(???????????ndis5_ip6_tunnel?:??6.1.7601.19133??????? ?????????????????????0????????????????????? ???????????????????k?0????????????????????6TO4 Adapter?osoft 6To4 Adapter??s??? ???????T??????????????????????????&???????????????????????? ???????????????????v?0????????????????????????????????????????*teredo?t???????????? ????????????? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14788702000342280@SetupOperations ??????????@??????s??ys??{71a27cdd-812a-11d0-bec7-08002be2092f}??????STORAGE\VolumeSnapshot??????????????@system32\drivers\pci.sys,#65536;PCI bus %1, device %2, function %3;(0,12,0)??????????????R????????????n????system32\DRIVERS\nvstor64.sys????????????????????????????_??__??msmouse.inf:MSMfg.NTamd64:HID_Mouse_Inst:6.1.7600.16385::hid_device_system_mouse??????N???????????D???????????????????????V?????????????????????????????????????????????????????{71a27cdd-812a-11d0-bec7-08002be2092f}\0005?????Generic volume???????????????????????????????s???e?????????????????eis??volume_install?36e????6????????????e????system32\DRIVERS\nvlddmkm.sys????????????????????????????????????????????:??se??oem11.inf:AzaliaManufacturerID.NTamd64.6.0:IntcAzAudModel:6.0.1.5936:hdaudio\func_01&ven_10ec&dev_0662&subsys_10431503??????\SystemRoot\system32\drivers\aswSnx.sys?ys??????ImationFlashDriv????HID\VID_046D&PID_C214&REV_0205?HID\VID_046D&PID_C214?HID_DEVICE_SYSTEM_GAME?HID_DEVICE_UP:0001_U:0004?HID_DEVICE????cdrom.inf:cdrom_device. Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14788702947262280@SetupOperations ?????4??Microsoft????j?j?j?j?j?j?j?j?j?j?o??? "??????c??????????? ??????????????????@volsnap.inf,%msft%;Microsoft???????????????????????????????s????????????t??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????ne????????\??????0???????????????????????o???????????????u???????e???????f????????????