GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-19 13:26:19 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Samsung_SSD_840_EVO_250GB rev.EXT0CB6Q 232,89GB Running: sm4s8go1.exe; Driver: C:\Users\Azoom\AppData\Local\Temp\kwddakod.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000049c70480 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000049c70470 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000049c70360 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000049c70490 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 0000000049c703d0 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000049c70310 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 0000000049c703a0 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000049c70380 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 0000000049c702d0 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 0000000049c702c0 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0xffffffffd2462490} .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000049c70300 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 0000000049c703b0 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000049c70440 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 0000000049c703e0 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000049c70220 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 0000000049c704a0 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000049c70390 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 0000000049c702e0 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000049c70340 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000049c70280 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 0000000049c702a0 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0xffffffffd2461e90} .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 0000000049c703c0 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0xffffffffd2461f90} .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000049c70320 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000049c70410 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000049c70230 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 0000000049c703f0 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 0000000049c701d0 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000049c70240 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 0000000049c704b0 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 0000000049c704c0 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 0000000049c702f0 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000049c70350 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000049c70290 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 0000000049c702b0 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000049c70370 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000049c70330 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000049c70460 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000049c70420 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000049c70250 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0xffffffffd2461390} .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000049c70260 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0xffffffffd2461390} .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000049c70400 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 0000000049c701e0 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000049c70200 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 0000000049c701f0 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000049c70430 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000049c70450 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000049c70210 .text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000049c70270 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000049c70480 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000049c70470 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000049c70360 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000049c70490 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 0000000049c703d0 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000049c70310 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 0000000049c703a0 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000049c70380 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 0000000049c702d0 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 0000000049c702c0 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0xffffffffd2462490} .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000049c70300 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 0000000049c703b0 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000049c70440 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 0000000049c703e0 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000049c70220 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 0000000049c704a0 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000049c70390 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 0000000049c702e0 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000049c70340 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000049c70280 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 0000000049c702a0 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0xffffffffd2461e90} .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 0000000049c703c0 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0xffffffffd2461f90} .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000049c70320 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000049c70410 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000049c70230 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 0000000049c703f0 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 0000000049c701d0 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000049c70240 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 0000000049c704b0 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 0000000049c704c0 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 0000000049c702f0 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000049c70350 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000049c70290 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 0000000049c702b0 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000049c70370 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000049c70330 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000049c70460 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000049c70420 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000049c70250 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0xffffffffd2461390} .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000049c70260 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0xffffffffd2461390} .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000049c70400 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 0000000049c701e0 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000049c70200 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 0000000049c701f0 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000049c70430 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000049c70450 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000049c70210 .text C:\Windows\system32\csrss.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000049c70270 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000077970480 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000077970470 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000077970360 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000077970490 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 00000000779703d0 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000077970310 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 00000000779703a0 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000077970380 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 00000000779702d0 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 00000000779702c0 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000077970300 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 00000000779703b0 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000077970440 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 00000000779703e0 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000077970220 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 00000000779704a0 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000077970390 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 00000000779702e0 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000077970340 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000077970280 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 00000000779702a0 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 00000000779703c0 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000077970320 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000077970410 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000077970230 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 00000000779703f0 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 00000000779701d0 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000077970240 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 00000000779704b0 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 00000000779704c0 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 00000000779702f0 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000077970350 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000077970290 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 00000000779702b0 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000077970370 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000077970330 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000077970460 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000077970420 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000077970250 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000077970260 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000077970400 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 00000000779701e0 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000077970200 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 00000000779701f0 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000077970430 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000077970450 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000077970210 .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000077970270 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000000070480 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000000070470 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000000070360 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000000070490 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000000070310 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000000070380 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 00000000000702c0 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0xffffffff88862490} .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000000070300 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000000070440 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000000070220 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000000070390 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000000070340 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000000070280 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 00000000000702a0 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0xffffffff88861e90} .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 00000000000703c0 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0xffffffff88861f90} .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000000070320 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000000070410 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000000070240 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000000070290 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000000070370 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000000070460 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000000070420 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000000070250 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0xffffffff88861390} .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000000070260 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0xffffffff88861390} .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000000070400 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000000070430 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000000070450 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000000070210 .text C:\Windows\system32\lsm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000077970480 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000077970470 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000077970360 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000077970490 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 00000000779703d0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000077970310 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 00000000779703a0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000077970380 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 00000000779702d0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 00000000779702c0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000077970300 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 00000000779703b0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000077970440 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 00000000779703e0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000077970220 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 00000000779704a0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000077970390 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 00000000779702e0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000077970340 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000077970280 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 00000000779702a0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 00000000779703c0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000077970320 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000077970410 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000077970230 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 00000000779703f0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 00000000779701d0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000077970240 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 00000000779704b0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 00000000779704c0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 00000000779702f0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000077970350 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000077970290 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 00000000779702b0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000077970370 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000077970330 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000077970460 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000077970420 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000077970250 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000077970260 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000077970400 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 00000000779701e0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000077970200 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 00000000779701f0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000077970430 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000077970450 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000077970210 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000077970270 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000077970480 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000077970470 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000077970360 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000077970490 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 00000000779703d0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000077970310 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 00000000779703a0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000077970380 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 00000000779702d0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 00000000779702c0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000077970300 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 00000000779703b0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000077970440 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 00000000779703e0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000077970220 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 00000000779704a0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000077970390 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 00000000779702e0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000077970340 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000077970280 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 00000000779702a0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 00000000779703c0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000077970320 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000077970410 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000077970230 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 00000000779703f0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 00000000779701d0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000077970240 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 00000000779704b0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 00000000779704c0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 00000000779702f0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000077970350 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000077970290 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 00000000779702b0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000077970370 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000077970330 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000077970460 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000077970420 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000077970250 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000077970260 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000077970400 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 00000000779701e0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000077970200 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 00000000779701f0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000077970430 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000077970450 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000077970210 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000077970270 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000077970480 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000077970470 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000077970360 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000077970490 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 00000000779703d0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000077970310 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 00000000779703a0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000077970380 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 00000000779702d0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 00000000779702c0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000077970300 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 00000000779703b0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000077970440 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 00000000779703e0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000077970220 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 00000000779704a0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000077970390 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 00000000779702e0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000077970340 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000077970280 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 00000000779702a0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 00000000779703c0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000077970320 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000077970410 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000077970230 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 00000000779703f0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 00000000779701d0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000077970240 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 00000000779704b0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 00000000779704c0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 00000000779702f0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000077970350 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000077970290 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 00000000779702b0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000077970370 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000077970330 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000077970460 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000077970420 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000077970250 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000077970260 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000077970400 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 00000000779701e0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000077970200 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 00000000779701f0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000077970430 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000077970450 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000077970210 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000077970270 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000077970480 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000077970470 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000077970360 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000077970490 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 00000000779703d0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000077970310 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 00000000779703a0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000077970380 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 00000000779702d0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 00000000779702c0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000077970300 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 00000000779703b0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000077970440 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 00000000779703e0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000077970220 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 00000000779704a0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000077970390 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 00000000779702e0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000077970340 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000077970280 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 00000000779702a0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 00000000779703c0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000077970320 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000077970410 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000077970230 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 00000000779703f0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 00000000779701d0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000077970240 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 00000000779704b0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 00000000779704c0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 00000000779702f0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000077970350 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000077970290 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 00000000779702b0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000077970370 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000077970330 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000077970460 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000077970420 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000077970250 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000077970260 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000077970400 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 00000000779701e0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000077970200 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 00000000779701f0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000077970430 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000077970450 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000077970210 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000077970270 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000077970480 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000077970470 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000077970360 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000077970490 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 00000000779703d0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000077970310 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 00000000779703a0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000077970380 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 00000000779702d0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 00000000779702c0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000077970300 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 00000000779703b0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000077970440 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 00000000779703e0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000077970220 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 00000000779704a0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000077970390 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 00000000779702e0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000077970340 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000077970280 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 00000000779702a0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 00000000779703c0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000077970320 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000077970410 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000077970230 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 00000000779703f0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 00000000779701d0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000077970240 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 00000000779704b0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 00000000779704c0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 00000000779702f0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000077970350 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000077970290 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 00000000779702b0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000077970370 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000077970330 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000077970460 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000077970420 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000077970250 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000077970260 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000077970400 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 00000000779701e0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000077970200 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 00000000779701f0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000077970430 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000077970450 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000077970210 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000077970270 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000077970480 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000077970470 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000077970360 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000077970490 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 00000000779703d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000077970310 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 00000000779703a0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000077970380 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 00000000779702d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 00000000779702c0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000077970300 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 00000000779703b0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000077970440 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 00000000779703e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000077970220 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 00000000779704a0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000077970390 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 00000000779702e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000077970340 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000077970280 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 00000000779702a0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 00000000779703c0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000077970320 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000077970410 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000077970230 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 00000000779703f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 00000000779701d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000077970240 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 00000000779704b0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 00000000779704c0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 00000000779702f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000077970350 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000077970290 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 00000000779702b0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000077970370 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000077970330 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000077970460 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000077970420 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000077970250 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000077970260 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000077970400 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 00000000779701e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000077970200 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 00000000779701f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000077970430 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000077970450 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000077970210 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000077970270 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000077970480 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000077970470 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000077970360 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000077970490 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 00000000779703d0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000077970310 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 00000000779703a0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000077970380 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 00000000779702d0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 00000000779702c0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000077970300 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 00000000779703b0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000077970440 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 00000000779703e0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000077970220 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 00000000779704a0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000077970390 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 00000000779702e0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000077970340 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000077970280 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 00000000779702a0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 00000000779703c0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000077970320 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000077970410 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000077970230 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 00000000779703f0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 00000000779701d0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000077970240 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 00000000779704b0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 00000000779704c0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 00000000779702f0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000077970350 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000077970290 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 00000000779702b0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000077970370 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000077970330 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000077970460 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000077970420 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000077970250 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000077970260 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000077970400 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 00000000779701e0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000077970200 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 00000000779701f0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000077970430 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000077970450 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000077970210 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000077970270 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000077970480 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000077970470 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000077970360 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000077970490 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 00000000779703d0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000077970310 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 00000000779703a0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000077970380 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 00000000779702d0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 00000000779702c0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000077970300 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 00000000779703b0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000077970440 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 00000000779703e0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000077970220 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 00000000779704a0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000077970390 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 00000000779702e0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000077970340 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000077970280 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 00000000779702a0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 00000000779703c0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000077970320 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000077970410 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000077970230 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 00000000779703f0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 00000000779701d0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000077970240 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 00000000779704b0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 00000000779704c0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 00000000779702f0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000077970350 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000077970290 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 00000000779702b0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000077970370 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000077970330 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000077970460 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000077970420 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000077970250 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000077970260 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000077970400 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 00000000779701e0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000077970200 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 00000000779701f0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000077970430 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000077970450 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000077970210 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000077970270 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000077970480 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000077970470 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000077970360 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000077970490 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 00000000779703d0 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000077970310 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 00000000779703a0 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000077970380 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 00000000779702d0 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 00000000779702c0 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000077970300 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 00000000779703b0 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000077970440 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 00000000779703e0 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000077970220 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 00000000779704a0 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000077970390 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 00000000779702e0 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000077970340 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000077970280 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 00000000779702a0 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 00000000779703c0 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000077970320 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000077970410 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000077970230 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 00000000779703f0 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 00000000779701d0 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000077970240 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 00000000779704b0 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 00000000779704c0 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 00000000779702f0 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000077970350 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000077970290 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 00000000779702b0 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000077970370 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000077970330 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000077970460 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000077970420 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000077970250 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000077970260 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000077970400 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 00000000779701e0 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000077970200 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 00000000779701f0 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000077970430 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000077970450 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000077970210 .text C:\Windows\System32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000077970270 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000077970480 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000077970470 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000077970360 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000077970490 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 00000000779703d0 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000077970310 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 00000000779703a0 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000077970380 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 00000000779702d0 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 00000000779702c0 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000077970300 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 00000000779703b0 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000077970440 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 00000000779703e0 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000077970220 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 00000000779704a0 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000077970390 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 00000000779702e0 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000077970340 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000077970280 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 00000000779702a0 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 00000000779703c0 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000077970320 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000077970410 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000077970230 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 00000000779703f0 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 00000000779701d0 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000077970240 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 00000000779704b0 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 00000000779704c0 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 00000000779702f0 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000077970350 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000077970290 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 00000000779702b0 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000077970370 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000077970330 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000077970460 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000077970420 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000077970250 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000077970260 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000077970400 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 00000000779701e0 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000077970200 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 00000000779701f0 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000077970430 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000077970450 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000077970210 .text C:\Windows\system32\taskhost.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000077970270 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000077970480 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000077970470 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000077970360 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000077970490 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 00000000779703d0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000077970310 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 00000000779703a0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000077970380 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 00000000779702d0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 00000000779702c0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000077970300 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 00000000779703b0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000077970440 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 00000000779703e0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000077970220 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 00000000779704a0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000077970390 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 00000000779702e0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000077970340 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000077970280 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 00000000779702a0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 00000000779703c0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000077970320 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000077970410 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000077970230 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 00000000779703f0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 00000000779701d0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000077970240 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 00000000779704b0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 00000000779704c0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 00000000779702f0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000077970350 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000077970290 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 00000000779702b0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000077970370 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000077970330 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000077970460 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000077970420 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000077970250 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000077970260 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000077970400 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 00000000779701e0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000077970200 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 00000000779701f0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000077970430 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000077970450 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000077970210 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000077970270 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000000070480 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000000070470 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000000070360 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000000070490 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 00000000000703d0 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000000070310 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 00000000000703a0 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000000070380 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 00000000000702d0 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 00000000000702c0 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0xffffffff88862490} .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000000070300 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 00000000000703b0 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000000070440 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 00000000000703e0 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000000070220 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 00000000000704a0 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000000070390 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 00000000000702e0 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000000070340 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000000070280 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 00000000000702a0 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0xffffffff88861e90} .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 00000000000703c0 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0xffffffff88861f90} .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000000070320 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000000070410 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000000070230 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 00000000000703f0 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 00000000000701d0 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000000070240 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 00000000000704b0 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 00000000000704c0 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 00000000000702f0 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000000070350 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000000070290 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 00000000000702b0 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000000070370 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000000070330 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000000070460 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000000070420 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000000070250 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0xffffffff88861390} .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000000070260 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0xffffffff88861390} .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000000070400 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 00000000000701e0 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000000070200 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 00000000000701f0 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000000070430 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000000070450 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000000070210 .text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000000070270 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3460] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075f12ab1 5 bytes JMP 00000000003cf046 .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\kernel32.dll!CreateFileW 00000000759f3f0c 13 bytes JMP 0000000063cd0db0 .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\USER32.dll!SetWindowPos 00000000763d8e5e 5 bytes JMP 0000000063cd0c00 .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000763e0e0b 5 bytes JMP 0000000063cd0a40 .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\USER32.dll!SetFocus 00000000763e2185 5 bytes JMP 0000000063cd0b30 .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\USER32.dll!SetActiveWindow 00000000763e3218 5 bytes JMP 0000000063cd0ce0 .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\USER32.dll!BringWindowToTop 00000000763e7b4b 13 bytes JMP 0000000063cd07b0 .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 00000000763ff190 13 bytes JMP 0000000063cd06e0 .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\USER32.dll!SwitchToThisWindow 000000007641912c 3 bytes JMP 0000000063cd0880 .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\USER32.dll!SwitchToThisWindow + 4 0000000076419130 9 bytes {IN EAX, DX; MOV ESP, EBP; POP RBP; JMP 0xffffffffed8b7750} .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\USER32.dll!ShowWindowAsync 0000000076437e5f 5 bytes JMP 0000000063cd0950 .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\ole32.dll!DoDragDrop 000000007664a93f 13 bytes JMP 0000000063cd0610 .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075af1401 2 bytes JMP 75a1b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075af1419 2 bytes JMP 75a1b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075af1431 2 bytes JMP 75a98fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075af144a 2 bytes CALL 759f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075af14dd 2 bytes JMP 75a988c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075af14f5 2 bytes JMP 75a98aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075af150d 2 bytes JMP 75a987ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075af1525 2 bytes JMP 75a98b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075af153d 2 bytes JMP 75a0fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075af1555 2 bytes JMP 75a168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075af156d 2 bytes JMP 75a99089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075af1585 2 bytes JMP 75a98bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075af159d 2 bytes JMP 75a9877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075af15b5 2 bytes JMP 75a0fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075af15cd 2 bytes JMP 75a1b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075af16b2 2 bytes JMP 75a98f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[3816] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075af16bd 2 bytes JMP 75a98713 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Avast\AvastUI.exe[1724] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000759f8781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text D:\Programy\Avast\AvastUI.exe[1724] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075af1401 2 bytes JMP 75a1b21b C:\Windows\syswow64\kernel32.dll .text D:\Programy\Avast\AvastUI.exe[1724] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075af1419 2 bytes JMP 75a1b346 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Avast\AvastUI.exe[1724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075af1431 2 bytes JMP 75a98fd1 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Avast\AvastUI.exe[1724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075af144a 2 bytes CALL 759f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Programy\Avast\AvastUI.exe[1724] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075af14dd 2 bytes JMP 75a988c4 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Avast\AvastUI.exe[1724] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075af14f5 2 bytes JMP 75a98aa0 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Avast\AvastUI.exe[1724] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075af150d 2 bytes JMP 75a987ba C:\Windows\syswow64\kernel32.dll .text D:\Programy\Avast\AvastUI.exe[1724] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075af1525 2 bytes JMP 75a98b8a C:\Windows\syswow64\kernel32.dll .text D:\Programy\Avast\AvastUI.exe[1724] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075af153d 2 bytes JMP 75a0fca8 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Avast\AvastUI.exe[1724] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075af1555 2 bytes JMP 75a168ef C:\Windows\syswow64\kernel32.dll .text D:\Programy\Avast\AvastUI.exe[1724] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075af156d 2 bytes JMP 75a99089 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Avast\AvastUI.exe[1724] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075af1585 2 bytes JMP 75a98bea C:\Windows\syswow64\kernel32.dll .text D:\Programy\Avast\AvastUI.exe[1724] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075af159d 2 bytes JMP 75a9877e C:\Windows\syswow64\kernel32.dll .text D:\Programy\Avast\AvastUI.exe[1724] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075af15b5 2 bytes JMP 75a0fd41 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Avast\AvastUI.exe[1724] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075af15cd 2 bytes JMP 75a1b2dc C:\Windows\syswow64\kernel32.dll .text D:\Programy\Avast\AvastUI.exe[1724] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075af16b2 2 bytes JMP 75a98f4c C:\Windows\syswow64\kernel32.dll .text D:\Programy\Avast\AvastUI.exe[1724] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075af16bd 2 bytes JMP 75a98713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.10\Lightshot.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075af1401 2 bytes JMP 75a1b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.10\Lightshot.exe[3240] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075af1419 2 bytes JMP 75a1b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.10\Lightshot.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075af1431 2 bytes JMP 75a98fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.10\Lightshot.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075af144a 2 bytes CALL 759f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.10\Lightshot.exe[3240] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075af14dd 2 bytes JMP 75a988c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.10\Lightshot.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075af14f5 2 bytes JMP 75a98aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.10\Lightshot.exe[3240] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075af150d 2 bytes JMP 75a987ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.10\Lightshot.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075af1525 2 bytes JMP 75a98b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.10\Lightshot.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075af153d 2 bytes JMP 75a0fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.10\Lightshot.exe[3240] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075af1555 2 bytes JMP 75a168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.10\Lightshot.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075af156d 2 bytes JMP 75a99089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.10\Lightshot.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075af1585 2 bytes JMP 75a98bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.10\Lightshot.exe[3240] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075af159d 2 bytes JMP 75a9877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.10\Lightshot.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075af15b5 2 bytes JMP 75a0fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.10\Lightshot.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075af15cd 2 bytes JMP 75a1b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.10\Lightshot.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075af16b2 2 bytes JMP 75a98f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.10\Lightshot.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075af16bd 2 bytes JMP 75a98713 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Hamachi\hamachi-2-ui.exe[3560] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExW + 17 0000000075af1401 2 bytes JMP 75a1b21b C:\Windows\syswow64\kernel32.dll .text D:\Programy\Hamachi\hamachi-2-ui.exe[3560] C:\Windows\syswow64\PsApi.dll!EnumProcessModules + 17 0000000075af1419 2 bytes JMP 75a1b346 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Hamachi\hamachi-2-ui.exe[3560] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 17 0000000075af1431 2 bytes JMP 75a98fd1 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Hamachi\hamachi-2-ui.exe[3560] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 42 0000000075af144a 2 bytes CALL 759f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Programy\Hamachi\hamachi-2-ui.exe[3560] C:\Windows\syswow64\PsApi.dll!EnumDeviceDrivers + 17 0000000075af14dd 2 bytes JMP 75a988c4 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Hamachi\hamachi-2-ui.exe[3560] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameA + 17 0000000075af14f5 2 bytes JMP 75a98aa0 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Hamachi\hamachi-2-ui.exe[3560] C:\Windows\syswow64\PsApi.dll!QueryWorkingSetEx + 17 0000000075af150d 2 bytes JMP 75a987ba C:\Windows\syswow64\kernel32.dll .text D:\Programy\Hamachi\hamachi-2-ui.exe[3560] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameW + 17 0000000075af1525 2 bytes JMP 75a98b8a C:\Windows\syswow64\kernel32.dll .text D:\Programy\Hamachi\hamachi-2-ui.exe[3560] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameW + 17 0000000075af153d 2 bytes JMP 75a0fca8 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Hamachi\hamachi-2-ui.exe[3560] C:\Windows\syswow64\PsApi.dll!EnumProcesses + 17 0000000075af1555 2 bytes JMP 75a168ef C:\Windows\syswow64\kernel32.dll .text D:\Programy\Hamachi\hamachi-2-ui.exe[3560] C:\Windows\syswow64\PsApi.dll!GetProcessMemoryInfo + 17 0000000075af156d 2 bytes JMP 75a99089 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Hamachi\hamachi-2-ui.exe[3560] C:\Windows\syswow64\PsApi.dll!GetPerformanceInfo + 17 0000000075af1585 2 bytes JMP 75a98bea C:\Windows\syswow64\kernel32.dll .text D:\Programy\Hamachi\hamachi-2-ui.exe[3560] C:\Windows\syswow64\PsApi.dll!QueryWorkingSet + 17 0000000075af159d 2 bytes JMP 75a9877e C:\Windows\syswow64\kernel32.dll .text D:\Programy\Hamachi\hamachi-2-ui.exe[3560] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameA + 17 0000000075af15b5 2 bytes JMP 75a0fd41 C:\Windows\syswow64\kernel32.dll .text D:\Programy\Hamachi\hamachi-2-ui.exe[3560] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExA + 17 0000000075af15cd 2 bytes JMP 75a1b2dc C:\Windows\syswow64\kernel32.dll .text D:\Programy\Hamachi\hamachi-2-ui.exe[3560] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 20 0000000075af16b2 2 bytes JMP 75a98f4c C:\Windows\syswow64\kernel32.dll .text D:\Programy\Hamachi\hamachi-2-ui.exe[3560] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 31 0000000075af16bd 2 bytes JMP 75a98713 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4164] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 0000000073b017fa 2 bytes CALL 759f11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4164] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000073b01860 2 bytes CALL 759f11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4164] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000073b01942 2 bytes JMP 75597089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4164] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 0000000073b0194d 2 bytes JMP 7559cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000077970480 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000077970470 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000077970360 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000077970490 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 00000000779703d0 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000077970310 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 00000000779703a0 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000077970380 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 00000000779702d0 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 00000000779702c0 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000077970300 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 00000000779703b0 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000077970440 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 00000000779703e0 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000077970220 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 00000000779704a0 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000077970390 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 00000000779702e0 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000077970340 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000077970280 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 00000000779702a0 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 00000000779703c0 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000077970320 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000077970410 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000077970230 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 00000000779703f0 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 00000000779701d0 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000077970240 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 00000000779704b0 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 00000000779704c0 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 00000000779702f0 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000077970350 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000077970290 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 00000000779702b0 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000077970370 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000077970330 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000077970460 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000077970420 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000077970250 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000077970260 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000077970400 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 00000000779701e0 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000077970200 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 00000000779701f0 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000077970430 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000077970450 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000077970210 .text C:\Windows\system32\svchost.exe[4188] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000077970270 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000077970480 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000077970470 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000077970360 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000077970490 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 00000000779703d0 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000077970310 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 00000000779703a0 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000077970380 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 00000000779702d0 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 00000000779702c0 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000077970300 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 00000000779703b0 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000077970440 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 00000000779703e0 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000077970220 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 00000000779704a0 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000077970390 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 00000000779702e0 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000077970340 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000077970280 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 00000000779702a0 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 00000000779703c0 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000077970320 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000077970410 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000077970230 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 00000000779703f0 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 00000000779701d0 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000077970240 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 00000000779704b0 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 00000000779704c0 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 00000000779702f0 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000077970350 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000077970290 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 00000000779702b0 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000077970370 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000077970330 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000077970460 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000077970420 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000077970250 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000077970260 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000077970400 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 00000000779701e0 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000077970200 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 00000000779701f0 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000077970430 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000077970450 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000077970210 .text C:\Windows\system32\svchost.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000077970270 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000077970480 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000077970470 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000077970360 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000077970490 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 00000000779703d0 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000077970310 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 00000000779703a0 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000077970380 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 00000000779702d0 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 00000000779702c0 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000077970300 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 00000000779703b0 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000077970440 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 00000000779703e0 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000077970220 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 00000000779704a0 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000077970390 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 00000000779702e0 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000077970340 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000077970280 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 00000000779702a0 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 00000000779703c0 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000077970320 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000077970410 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000077970230 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 00000000779703f0 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 00000000779701d0 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000077970240 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 00000000779704b0 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 00000000779704c0 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 00000000779702f0 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000077970350 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000077970290 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 00000000779702b0 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000077970370 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000077970330 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000077970460 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000077970420 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000077970250 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000077970260 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000077970400 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 00000000779701e0 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000077970200 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 00000000779701f0 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000077970430 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000077970450 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000077970210 .text C:\Windows\system32\svchost.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000077970270 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007780da60 5 bytes JMP 0000000000070480 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007780dab0 5 bytes JMP 0000000000070470 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 5 bytes JMP 0000000000070360 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007780dc60 5 bytes JMP 0000000000070490 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007780dc70 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007780dd20 5 bytes JMP 0000000000070310 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007780dd50 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007780dd70 5 bytes JMP 0000000000070380 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007780ddb0 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007780de30 1 byte JMP 00000000000702c0 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007780de32 3 bytes {JMP 0xffffffff88862490} .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007780de50 5 bytes JMP 0000000000070300 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007780de90 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007780ded0 5 bytes JMP 0000000000070440 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007780dee0 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007780e040 5 bytes JMP 0000000000070220 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007780e200 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007780e230 5 bytes JMP 0000000000070390 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007780e310 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007780e320 5 bytes JMP 0000000000070340 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007780e380 5 bytes JMP 0000000000070280 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007780e410 1 byte JMP 00000000000702a0 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007780e412 3 bytes {JMP 0xffffffff88861e90} .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007780e430 1 byte JMP 00000000000703c0 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007780e432 3 bytes {JMP 0xffffffff88861f90} .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007780e440 5 bytes JMP 0000000000070320 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007780e4b0 5 bytes JMP 0000000000070410 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007780e4e0 5 bytes JMP 0000000000070230 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007780e680 5 bytes JMP 00000000000703f0 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007780e7a0 5 bytes JMP 00000000000701d0 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007780e860 5 bytes JMP 0000000000070240 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007780e890 5 bytes JMP 00000000000704b0 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007780e8a0 5 bytes JMP 00000000000704c0 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007780e8d0 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007780e8e0 5 bytes JMP 0000000000070350 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007780e940 5 bytes JMP 0000000000070290 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007780e990 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 5 bytes JMP 0000000000070370 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007780e9d0 5 bytes JMP 0000000000070330 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007780ecc0 5 bytes JMP 0000000000070460 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007780ee20 5 bytes JMP 0000000000070420 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007780eec0 1 byte JMP 0000000000070250 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007780eec2 3 bytes {JMP 0xffffffff88861390} .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007780eed0 1 byte JMP 0000000000070260 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007780eed2 3 bytes {JMP 0xffffffff88861390} .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007780eee0 5 bytes JMP 0000000000070400 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007780f0a0 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007780f0b0 5 bytes JMP 0000000000070200 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007780f120 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007780f180 5 bytes JMP 0000000000070430 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007780f190 5 bytes JMP 0000000000070450 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007780f1a0 5 bytes JMP 0000000000070210 .text C:\Windows\System32\svchost.exe[6872] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007780f280 5 bytes JMP 0000000000070270 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6240] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3250 5 bytes JMP 000000000038075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6240] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777e6dc0 5 bytes JMP 00000000003803a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6240] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007780dc30 14 bytes {MOV RAX, 0x7fef04862b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3250 5 bytes JMP 000000000037075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777e6dc0 5 bytes JMP 00000000003703a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7256] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3250 5 bytes JMP 00000000003e075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7256] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777e6dc0 5 bytes JMP 00000000003e03a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3250 5 bytes JMP 000000000009075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777e6dc0 5 bytes JMP 00000000000903a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007780da80 7 bytes [48, B8, 60, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007780da88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007780dbf0 7 bytes [48, B8, E0, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007780dbf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 7 bytes [48, B8, D0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007780dc18 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007780dc20 7 bytes [48, B8, C0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007780dc28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007780dc30 7 bytes [48, B8, 40, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007780dc38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007780dc50 7 bytes [48, B8, B0, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007780dc58 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007780dca0 7 bytes [48, B8, 50, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007780dca8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007780dcb0 7 bytes [48, B8, 20, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007780dcb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007780dce0 7 bytes [48, B8, 40, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007780dce8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007780dd80 7 bytes [48, B8, 80, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007780dd88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007780df00 7 bytes [48, B8, C0, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007780df08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007780e970 7 bytes [48, B8, 00, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007780e978 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 7 bytes [48, B8, A0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007780e9c8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007780eb10 7 bytes [48, B8, A0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007780eb18 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3250 5 bytes JMP 000000000044075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777e6dc0 5 bytes JMP 00000000004403a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007780da80 7 bytes [48, B8, 60, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007780da88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007780dbf0 7 bytes [48, B8, E0, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007780dbf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 7 bytes [48, B8, D0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007780dc18 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007780dc20 7 bytes [48, B8, C0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007780dc28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007780dc30 7 bytes [48, B8, 40, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007780dc38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007780dc50 7 bytes [48, B8, B0, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007780dc58 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007780dca0 7 bytes [48, B8, 50, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007780dca8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007780dcb0 7 bytes [48, B8, 20, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007780dcb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007780dce0 7 bytes [48, B8, 40, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007780dce8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007780dd80 7 bytes [48, B8, 80, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007780dd88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007780df00 7 bytes [48, B8, C0, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007780df08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007780e970 7 bytes [48, B8, 00, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007780e978 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 7 bytes [48, B8, A0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007780e9c8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007780eb10 7 bytes [48, B8, A0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007780eb18 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3250 5 bytes JMP 000000000040075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777e6dc0 5 bytes JMP 00000000004003a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007780da80 7 bytes [48, B8, 60, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007780da88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007780dbf0 7 bytes [48, B8, E0, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007780dbf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 7 bytes [48, B8, D0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007780dc18 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007780dc20 7 bytes [48, B8, C0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007780dc28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007780dc30 7 bytes [48, B8, 40, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007780dc38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007780dc50 7 bytes [48, B8, B0, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007780dc58 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007780dca0 7 bytes [48, B8, 50, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007780dca8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007780dcb0 7 bytes [48, B8, 20, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007780dcb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007780dce0 7 bytes [48, B8, 40, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007780dce8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007780dd80 7 bytes [48, B8, 80, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007780dd88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007780df00 7 bytes [48, B8, C0, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007780df08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007780e970 7 bytes [48, B8, 00, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007780e978 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 7 bytes [48, B8, A0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007780e9c8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007780eb10 7 bytes [48, B8, A0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007780eb18 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3250 5 bytes JMP 00000000001a075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777e6dc0 5 bytes JMP 00000000001a03a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007780da80 7 bytes [48, B8, 60, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007780da88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007780dbf0 7 bytes [48, B8, E0, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007780dbf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 7 bytes [48, B8, D0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007780dc18 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007780dc20 7 bytes [48, B8, C0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007780dc28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007780dc30 7 bytes [48, B8, 40, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007780dc38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007780dc50 7 bytes [48, B8, B0, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007780dc58 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007780dca0 7 bytes [48, B8, 50, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007780dca8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007780dcb0 7 bytes [48, B8, 20, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007780dcb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007780dce0 7 bytes [48, B8, 40, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007780dce8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007780dd80 7 bytes [48, B8, 80, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007780dd88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007780df00 7 bytes [48, B8, C0, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007780df08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007780e970 7 bytes [48, B8, 00, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007780e978 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 7 bytes [48, B8, A0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007780e9c8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007780eb10 7 bytes [48, B8, A0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007780eb18 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3250 5 bytes JMP 00000000003c075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777e6dc0 5 bytes JMP 00000000003c03a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007780da80 7 bytes [48, B8, 60, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007780da88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007780dbf0 7 bytes [48, B8, E0, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007780dbf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 7 bytes [48, B8, D0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007780dc18 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007780dc20 7 bytes [48, B8, C0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007780dc28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007780dc30 7 bytes [48, B8, 40, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007780dc38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007780dc50 7 bytes [48, B8, B0, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007780dc58 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007780dca0 7 bytes [48, B8, 50, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007780dca8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007780dcb0 7 bytes [48, B8, 20, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007780dcb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007780dce0 7 bytes [48, B8, 40, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007780dce8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007780dd80 7 bytes [48, B8, 80, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007780dd88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007780df00 7 bytes [48, B8, C0, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007780df08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007780e970 7 bytes [48, B8, 00, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007780e978 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 7 bytes [48, B8, A0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007780e9c8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007780eb10 7 bytes [48, B8, A0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007780eb18 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3250 5 bytes JMP 000000000040075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777e6dc0 5 bytes JMP 00000000004003a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007780da80 7 bytes [48, B8, 60, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007780da88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007780dbf0 7 bytes [48, B8, E0, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007780dbf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 7 bytes [48, B8, D0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007780dc18 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007780dc20 7 bytes [48, B8, C0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007780dc28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007780dc30 7 bytes [48, B8, 40, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007780dc38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007780dc50 7 bytes [48, B8, B0, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007780dc58 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007780dca0 7 bytes [48, B8, 50, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007780dca8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007780dcb0 7 bytes [48, B8, 20, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007780dcb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007780dce0 7 bytes [48, B8, 40, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007780dce8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007780dd80 7 bytes [48, B8, 80, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007780dd88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007780df00 7 bytes [48, B8, C0, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007780df08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007780e970 7 bytes [48, B8, 00, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007780e978 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 7 bytes [48, B8, A0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007780e9c8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007780eb10 7 bytes [48, B8, A0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007780eb18 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3250 5 bytes JMP 00000000003b075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777e6dc0 5 bytes JMP 00000000003b03a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007780da80 7 bytes [48, B8, 60, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007780da88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007780dbf0 7 bytes [48, B8, E0, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007780dbf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 7 bytes [48, B8, D0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007780dc18 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007780dc20 7 bytes [48, B8, C0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007780dc28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007780dc30 7 bytes [48, B8, 40, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007780dc38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007780dc50 7 bytes [48, B8, B0, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007780dc58 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007780dca0 7 bytes [48, B8, 50, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007780dca8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007780dcb0 7 bytes [48, B8, 20, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007780dcb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007780dce0 7 bytes [48, B8, 40, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007780dce8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007780dd80 7 bytes [48, B8, 80, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007780dd88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007780df00 7 bytes [48, B8, C0, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007780df08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007780e970 7 bytes [48, B8, 00, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007780e978 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 7 bytes [48, B8, A0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007780e9c8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007780eb10 7 bytes [48, B8, A0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007780eb18 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3250 5 bytes JMP 00000000003e075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777e6dc0 5 bytes JMP 00000000003e03a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007780da80 7 bytes [48, B8, 60, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007780da88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007780dbf0 7 bytes [48, B8, E0, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007780dbf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 7 bytes [48, B8, D0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007780dc18 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007780dc20 7 bytes [48, B8, C0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007780dc28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007780dc30 7 bytes [48, B8, 40, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007780dc38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007780dc50 7 bytes [48, B8, B0, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007780dc58 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007780dca0 7 bytes [48, B8, 50, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007780dca8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007780dcb0 7 bytes [48, B8, 20, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007780dcb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007780dce0 7 bytes [48, B8, 40, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007780dce8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007780dd80 7 bytes [48, B8, 80, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007780dd88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007780df00 7 bytes [48, B8, C0, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007780df08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007780e970 7 bytes [48, B8, 00, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007780e978 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 7 bytes [48, B8, A0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007780e9c8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007780eb10 7 bytes [48, B8, A0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007780eb18 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3250 5 bytes JMP 00000000001a075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777e6dc0 5 bytes JMP 00000000001a03a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007780da80 7 bytes [48, B8, 60, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007780da88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007780dbf0 7 bytes [48, B8, E0, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007780dbf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 7 bytes [48, B8, D0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007780dc18 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007780dc20 7 bytes [48, B8, C0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007780dc28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007780dc30 7 bytes [48, B8, 40, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007780dc38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007780dc50 7 bytes [48, B8, B0, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007780dc58 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007780dca0 7 bytes [48, B8, 50, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007780dca8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007780dcb0 7 bytes [48, B8, 20, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007780dcb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007780dce0 7 bytes [48, B8, 40, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007780dce8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007780dd80 7 bytes [48, B8, 80, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007780dd88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007780df00 7 bytes [48, B8, C0, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007780df08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007780e970 7 bytes [48, B8, 00, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007780e978 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 7 bytes [48, B8, A0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007780e9c8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007780eb10 7 bytes [48, B8, A0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007780eb18 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3250 5 bytes JMP 000000000058075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000777e6dc0 5 bytes JMP 00000000005803a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007780da80 7 bytes [48, B8, 60, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007780da88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007780dbf0 7 bytes [48, B8, E0, F9, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007780dbf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007780dc10 7 bytes [48, B8, D0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007780dc18 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007780dc20 7 bytes [48, B8, C0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007780dc28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007780dc30 7 bytes [48, B8, 40, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007780dc38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007780dc50 7 bytes [48, B8, B0, F8, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007780dc58 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007780dca0 7 bytes [48, B8, 50, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007780dca8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007780dcb0 7 bytes [48, B8, 20, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007780dcb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007780dce0 7 bytes [48, B8, 40, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007780dce8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007780dd80 7 bytes [48, B8, 80, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007780dd88 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007780df00 7 bytes [48, B8, C0, FA, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007780df08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007780e970 7 bytes [48, B8, 00, FE, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007780e978 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007780e9c0 7 bytes [48, B8, A0, FD, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007780e9c8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007780eb10 7 bytes [48, B8, A0, FB, 9D, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007780eb18 6 bytes {ADD [RAX], AL; JMP RAX} ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee9466490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee9465ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee9466470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee94666e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5656] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee85a2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee9466490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee9465ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee9466470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee94666e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4916] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee85a2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee9466490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee9465ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee9466470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee94666e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee85a2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee9466490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee9465ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee9466470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee94666e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7488] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee85a2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee9466490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee9465ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee9466470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee94666e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4608] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee85a2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee9466490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee9465ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee9466470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee94666e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1660] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee85a2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee9466490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee9465ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee9466470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee94666e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4960] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee85a2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee9466490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee9465ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee9466470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee94666e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3868] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee85a2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fee9466490] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee9465ca0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee9466470] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fee94666e0] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3568] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee85a2730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll ---- Threads - GMER 2.2 ---- Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2184] 00000000779f27c1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2200] 00000000779dc557 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2264] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2268] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2272] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2300] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2304] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2308] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2312] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2316] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2320] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2324] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2328] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2348] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2352] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2368] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2372] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2376] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2380] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2384] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2388] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2392] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:2396] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:4000] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:4004] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:4008] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:4012] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:4016] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:4020] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:4024] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:4040] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:4044] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:4048] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:4072] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:4076] 00000000779f27c1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:4080] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:4088] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:4092] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:3092] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:3104] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:3176] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:4444] 00000000711b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2072:4628] 00000000711b29e1 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14833584459802280@SetupOperations ????????????????????????? ????????????????????H??|???m?????????ora??cdrom???????????system32\drivers\wimmount.sys???s???????????????????H????????????????????????????????????~???????????0??????A2??????????????????????????????????gencdrom?`???????????????????????f??? ???e???????t??????????????????????????????????????????????FSFilter Infrastructure???????????????????????????????????X??????????????????????????g???????????????v???????????????????????????????????????????????????|?????? ?????????????,??|???????????????????u???????????e??????????????????????? B??|???????????????|????V??|??????????????????SeRestorePrivilege?SeImpersonatePrivilege????????????????????????????????u?u?u?u?u?|?|?|?|?|?|?|????? ???????u???????????u?0??????,?B??? ???????????%SystemRoot%\System32\trkwks.dll????????????????????????????? ???????n?????|?? ??z?0??????$?d???????????????????10???????z??????????????????????????????????????l?????