GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-14 21:49:06 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0 298.09GB Running: j67nq9bk.exe; Driver: C:\Users\HP\AppData\Local\Temp\uxrdipod.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c8dc60 5 bytes JMP 0000000000040450 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c8dcb0 1 byte JMP 0000000000040440 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077c8dcb2 3 bytes {JMP 0xffffffff883b2790} .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c8de10 5 bytes JMP 0000000000040360 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c8de60 5 bytes JMP 0000000000040460 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c8de70 5 bytes JMP 00000000000403d0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c8df20 5 bytes JMP 0000000000040310 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c8df50 5 bytes JMP 00000000000403a0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c8df70 5 bytes JMP 0000000000040380 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c8dfb0 5 bytes JMP 00000000000402d0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c8e030 1 byte JMP 00000000000402c0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c8e032 3 bytes {JMP 0xffffffff883b2290} .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c8e050 5 bytes JMP 0000000000040300 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c8e090 5 bytes JMP 00000000000403b0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c8e0e0 5 bytes JMP 00000000000403e0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c8e240 5 bytes JMP 0000000000040220 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c8e400 5 bytes JMP 0000000000040470 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c8e430 5 bytes JMP 0000000000040390 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c8e510 5 bytes JMP 00000000000402e0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c8e520 5 bytes JMP 0000000000040340 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c8e580 5 bytes JMP 0000000000040280 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c8e610 1 byte JMP 00000000000402a0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c8e612 3 bytes {JMP 0xffffffff883b1c90} .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c8e630 1 byte JMP 00000000000403c0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c8e632 3 bytes {JMP 0xffffffff883b1d90} .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c8e640 5 bytes JMP 0000000000040320 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c8e6b0 5 bytes JMP 0000000000040400 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c8e6e0 5 bytes JMP 0000000000040230 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c8e9a0 5 bytes JMP 00000000000401d0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c8ea60 5 bytes JMP 0000000000040240 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c8ea90 5 bytes JMP 0000000000040480 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c8eaa0 5 bytes JMP 0000000000040490 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c8ead0 5 bytes JMP 00000000000402f0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c8eae0 5 bytes JMP 0000000000040350 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c8eb40 5 bytes JMP 0000000000040290 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c8eb90 5 bytes JMP 00000000000402b0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c8ebc0 5 bytes JMP 0000000000040370 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c8ebd0 5 bytes JMP 0000000000040330 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c8eec0 5 bytes JMP 0000000000040430 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c8f0c0 1 byte JMP 0000000000040250 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c8f0c2 3 bytes {JMP 0xffffffff883b1190} .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c8f0d0 1 byte JMP 0000000000040260 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c8f0d2 3 bytes {JMP 0xffffffff883b1190} .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c8f0e0 5 bytes JMP 00000000000403f0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c8f2a0 5 bytes JMP 00000000000401e0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c8f2b0 5 bytes JMP 0000000000040200 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c8f320 5 bytes JMP 00000000000401f0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c8f380 1 byte JMP 0000000000040410 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077c8f382 3 bytes {JMP 0xffffffff883b1090} .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c8f390 1 byte JMP 0000000000040420 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077c8f392 3 bytes {JMP 0xffffffff883b1090} .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c8f3a0 5 bytes JMP 0000000000040210 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c8f480 5 bytes JMP 0000000000040270 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c8dc60 5 bytes JMP 0000000049e60450 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c8dcb0 1 byte JMP 0000000049e60440 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077c8dcb2 3 bytes {JMP 0xffffffffd21d2790} .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c8de10 5 bytes JMP 0000000049e60360 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c8de60 5 bytes JMP 0000000049e60460 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c8de70 5 bytes JMP 0000000049e603d0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c8df20 5 bytes JMP 0000000049e60310 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c8df50 5 bytes JMP 0000000049e603a0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c8df70 5 bytes JMP 0000000049e60380 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c8dfb0 5 bytes JMP 0000000049e602d0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c8e030 1 byte JMP 0000000049e602c0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c8e032 3 bytes {JMP 0xffffffffd21d2290} .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c8e050 5 bytes JMP 0000000049e60300 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c8e090 5 bytes JMP 0000000049e603b0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c8e0e0 5 bytes JMP 0000000049e603e0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c8e240 5 bytes JMP 0000000049e60220 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c8e400 5 bytes JMP 0000000049e60470 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c8e430 5 bytes JMP 0000000049e60390 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c8e510 5 bytes JMP 0000000049e602e0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c8e520 5 bytes JMP 0000000049e60340 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c8e580 5 bytes JMP 0000000049e60280 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c8e610 1 byte JMP 0000000049e602a0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c8e612 3 bytes {JMP 0xffffffffd21d1c90} .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c8e630 1 byte JMP 0000000049e603c0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c8e632 3 bytes {JMP 0xffffffffd21d1d90} .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c8e640 5 bytes JMP 0000000049e60320 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c8e6b0 5 bytes JMP 0000000049e60400 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c8e6e0 5 bytes JMP 0000000049e60230 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c8e9a0 5 bytes JMP 0000000049e601d0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c8ea60 5 bytes JMP 0000000049e60240 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c8ea90 5 bytes JMP 0000000049e60480 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c8eaa0 5 bytes JMP 0000000049e60490 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c8ead0 5 bytes JMP 0000000049e602f0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c8eae0 5 bytes JMP 0000000049e60350 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c8eb40 5 bytes JMP 0000000049e60290 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c8eb90 5 bytes JMP 0000000049e602b0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c8ebc0 5 bytes JMP 0000000049e60370 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c8ebd0 5 bytes JMP 0000000049e60330 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c8eec0 5 bytes JMP 0000000049e60430 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c8f0c0 1 byte JMP 0000000049e60250 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c8f0c2 3 bytes {JMP 0xffffffffd21d1190} .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c8f0d0 1 byte JMP 0000000049e60260 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c8f0d2 3 bytes {JMP 0xffffffffd21d1190} .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c8f0e0 5 bytes JMP 0000000049e603f0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c8f2a0 5 bytes JMP 0000000049e601e0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c8f2b0 5 bytes JMP 0000000049e60200 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c8f320 5 bytes JMP 0000000049e601f0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c8f380 1 byte JMP 0000000049e60410 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077c8f382 3 bytes {JMP 0xffffffffd21d1090} .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c8f390 1 byte JMP 0000000049e60420 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077c8f392 3 bytes {JMP 0xffffffffd21d1090} .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c8f3a0 5 bytes JMP 0000000049e60210 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c8f480 5 bytes JMP 0000000049e60270 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c8dc60 5 bytes JMP 0000000000070450 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c8dcb0 1 byte JMP 0000000000070440 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077c8dcb2 3 bytes {JMP 0xffffffff883e2790} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c8de10 5 bytes JMP 0000000000070360 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c8de60 5 bytes JMP 0000000000070460 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c8de70 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c8df20 5 bytes JMP 0000000000070310 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c8df50 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c8df70 5 bytes JMP 0000000000070380 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c8dfb0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c8e030 1 byte JMP 00000000000702c0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c8e032 3 bytes {JMP 0xffffffff883e2290} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c8e050 5 bytes JMP 0000000000070300 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c8e090 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c8e0e0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c8e240 5 bytes JMP 0000000000070220 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c8e400 5 bytes JMP 0000000000070470 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c8e430 5 bytes JMP 0000000000070390 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c8e510 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c8e520 5 bytes JMP 0000000000070340 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c8e580 5 bytes JMP 0000000000070280 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c8e610 1 byte JMP 00000000000702a0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c8e612 3 bytes {JMP 0xffffffff883e1c90} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c8e630 1 byte JMP 00000000000703c0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c8e632 3 bytes {JMP 0xffffffff883e1d90} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c8e640 5 bytes JMP 0000000000070320 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c8e6b0 5 bytes JMP 0000000000070400 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c8e6e0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c8e9a0 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c8ea60 5 bytes JMP 0000000000070240 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c8ea90 5 bytes JMP 0000000000070480 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c8eaa0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c8ead0 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c8eae0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c8eb40 5 bytes JMP 0000000000070290 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c8eb90 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c8ebc0 5 bytes JMP 0000000000070370 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c8ebd0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c8eec0 5 bytes JMP 0000000000070430 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c8f0c0 1 byte JMP 0000000000070250 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c8f0c2 3 bytes {JMP 0xffffffff883e1190} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c8f0d0 1 byte JMP 0000000000070260 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c8f0d2 3 bytes {JMP 0xffffffff883e1190} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c8f0e0 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c8f2a0 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c8f2b0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c8f320 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c8f380 1 byte JMP 0000000000070410 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077c8f382 3 bytes {JMP 0xffffffff883e1090} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c8f390 1 byte JMP 0000000000070420 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077c8f392 3 bytes {JMP 0xffffffff883e1090} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c8f3a0 5 bytes JMP 0000000000070210 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c8f480 5 bytes JMP 0000000000070270 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c8dc60 5 bytes JMP 0000000077df0450 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c8dcb0 1 byte JMP 0000000077df0440 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077c8dcb2 3 bytes {JMP 0x162790} .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c8de10 5 bytes JMP 0000000077df0360 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c8de60 5 bytes JMP 0000000077df0460 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c8de70 5 bytes JMP 0000000077df03d0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c8df20 5 bytes JMP 0000000077df0310 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c8df50 5 bytes JMP 0000000077df03a0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c8df70 5 bytes JMP 0000000077df0380 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c8dfb0 5 bytes JMP 0000000077df02d0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c8e030 1 byte JMP 0000000077df02c0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c8e032 3 bytes {JMP 0x162290} .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c8e050 5 bytes JMP 0000000077df0300 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c8e090 5 bytes JMP 0000000077df03b0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c8e0e0 5 bytes JMP 0000000077df03e0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c8e240 5 bytes JMP 0000000077df0220 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c8e400 5 bytes JMP 0000000077df0470 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c8e430 5 bytes JMP 0000000077df0390 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c8e510 5 bytes JMP 0000000077df02e0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c8e520 5 bytes JMP 0000000077df0340 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c8e580 5 bytes JMP 0000000077df0280 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c8e610 1 byte JMP 0000000077df02a0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c8e612 3 bytes {JMP 0x161c90} .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c8e630 1 byte JMP 0000000077df03c0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c8e632 3 bytes {JMP 0x161d90} .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c8e640 5 bytes JMP 0000000077df0320 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c8e6b0 5 bytes JMP 0000000077df0400 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c8e6e0 5 bytes JMP 0000000077df0230 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c8e9a0 5 bytes JMP 0000000077df01d0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c8ea60 5 bytes JMP 0000000077df0240 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c8ea90 5 bytes JMP 0000000077df0480 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c8eaa0 5 bytes JMP 0000000077df0490 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c8ead0 5 bytes JMP 0000000077df02f0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c8eae0 5 bytes JMP 0000000077df0350 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c8eb40 5 bytes JMP 0000000077df0290 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c8eb90 5 bytes JMP 0000000077df02b0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c8ebc0 5 bytes JMP 0000000077df0370 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c8ebd0 5 bytes JMP 0000000077df0330 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c8eec0 5 bytes JMP 0000000077df0430 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c8f0c0 1 byte JMP 0000000077df0250 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c8f0c2 3 bytes {JMP 0x161190} .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c8f0d0 1 byte JMP 0000000077df0260 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c8f0d2 3 bytes {JMP 0x161190} .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c8f0e0 5 bytes JMP 0000000077df03f0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c8f2a0 5 bytes JMP 0000000077df01e0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c8f2b0 5 bytes JMP 0000000077df0200 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c8f320 5 bytes JMP 0000000077df01f0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c8f380 1 byte JMP 0000000077df0410 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077c8f382 3 bytes {JMP 0x161090} .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c8f390 1 byte JMP 0000000077df0420 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077c8f392 3 bytes {JMP 0x161090} .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c8f3a0 5 bytes JMP 0000000077df0210 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c8f480 5 bytes JMP 0000000077df0270 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c8dc60 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c8dcb0 1 byte JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077c8dcb2 3 bytes {JMP 0xffffffff883e2790} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c8de10 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c8de60 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c8de70 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c8df20 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c8df50 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c8df70 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c8dfb0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c8e030 1 byte JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c8e032 3 bytes {JMP 0xffffffff883e2290} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c8e050 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c8e090 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c8e0e0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c8e240 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c8e400 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c8e430 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c8e510 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c8e520 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c8e580 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c8e610 1 byte JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c8e612 3 bytes {JMP 0xffffffff883e1c90} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c8e630 1 byte JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c8e632 3 bytes {JMP 0xffffffff883e1d90} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c8e640 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c8e6b0 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c8e6e0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c8e9a0 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c8ea60 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c8ea90 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c8eaa0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c8ead0 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c8eae0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c8eb40 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c8eb90 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c8ebc0 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c8ebd0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c8eec0 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c8f0c0 1 byte JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c8f0c2 3 bytes {JMP 0xffffffff883e1190} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c8f0d0 1 byte JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c8f0d2 3 bytes {JMP 0xffffffff883e1190} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c8f0e0 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c8f2a0 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c8f2b0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c8f320 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c8f380 1 byte JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077c8f382 3 bytes {JMP 0xffffffff883e1090} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c8f390 1 byte JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077c8f392 3 bytes {JMP 0xffffffff883e1090} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c8f3a0 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c8f480 5 bytes JMP 0000000000070270 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c8dc60 5 bytes JMP 0000000077df0450 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c8dcb0 1 byte JMP 0000000077df0440 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077c8dcb2 3 bytes {JMP 0x162790} .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c8de10 5 bytes JMP 0000000077df0360 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c8de60 5 bytes JMP 0000000077df0460 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c8de70 5 bytes JMP 0000000077df03d0 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c8df20 5 bytes JMP 0000000077df0310 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c8df50 5 bytes JMP 0000000077df03a0 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c8df70 5 bytes JMP 0000000077df0380 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c8dfb0 5 bytes JMP 0000000077df02d0 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c8e030 1 byte JMP 0000000077df02c0 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c8e032 3 bytes {JMP 0x162290} .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c8e050 5 bytes JMP 0000000077df0300 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c8e090 5 bytes JMP 0000000077df03b0 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c8e0e0 5 bytes JMP 0000000077df03e0 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c8e240 5 bytes JMP 0000000077df0220 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c8e400 5 bytes JMP 0000000077df0470 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c8e430 5 bytes JMP 0000000077df0390 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c8e510 5 bytes JMP 0000000077df02e0 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c8e520 5 bytes JMP 0000000077df0340 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c8e580 5 bytes JMP 0000000077df0280 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c8e610 1 byte JMP 0000000077df02a0 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c8e612 3 bytes {JMP 0x161c90} .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c8e630 1 byte JMP 0000000077df03c0 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c8e632 3 bytes {JMP 0x161d90} .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c8e640 5 bytes JMP 0000000077df0320 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c8e6b0 5 bytes JMP 0000000077df0400 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c8e6e0 5 bytes JMP 0000000077df0230 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c8e9a0 5 bytes JMP 0000000077df01d0 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c8ea60 5 bytes JMP 0000000077df0240 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c8ea90 5 bytes JMP 0000000077df0480 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c8eaa0 5 bytes JMP 0000000077df0490 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c8ead0 5 bytes JMP 0000000077df02f0 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c8eae0 5 bytes JMP 0000000077df0350 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c8eb40 5 bytes JMP 0000000077df0290 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c8eb90 5 bytes JMP 0000000077df02b0 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c8ebc0 5 bytes JMP 0000000077df0370 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c8ebd0 5 bytes JMP 0000000077df0330 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c8eec0 5 bytes JMP 0000000077df0430 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c8f0c0 1 byte JMP 0000000077df0250 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c8f0c2 3 bytes {JMP 0x161190} .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c8f0d0 1 byte JMP 0000000077df0260 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c8f0d2 3 bytes {JMP 0x161190} .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c8f0e0 5 bytes JMP 0000000077df03f0 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c8f2a0 5 bytes JMP 0000000077df01e0 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c8f2b0 5 bytes JMP 0000000077df0200 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c8f320 5 bytes JMP 0000000077df01f0 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c8f380 1 byte JMP 0000000077df0410 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077c8f382 3 bytes {JMP 0x161090} .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c8f390 1 byte JMP 0000000077df0420 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077c8f392 3 bytes {JMP 0x161090} .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c8f3a0 5 bytes JMP 0000000077df0210 .text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c8f480 5 bytes JMP 0000000077df0270 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c8dc60 5 bytes JMP 0000000077df0450 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c8dcb0 1 byte JMP 0000000077df0440 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077c8dcb2 3 bytes {JMP 0x162790} .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c8de10 5 bytes JMP 0000000077df0360 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c8de60 5 bytes JMP 0000000077df0460 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c8de70 5 bytes JMP 0000000077df03d0 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c8df20 5 bytes JMP 0000000077df0310 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c8df50 5 bytes JMP 0000000077df03a0 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c8df70 5 bytes JMP 0000000077df0380 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c8dfb0 5 bytes JMP 0000000077df02d0 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c8e030 1 byte JMP 0000000077df02c0 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c8e032 3 bytes {JMP 0x162290} .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c8e050 5 bytes JMP 0000000077df0300 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c8e090 5 bytes JMP 0000000077df03b0 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c8e0e0 5 bytes JMP 0000000077df03e0 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c8e240 5 bytes JMP 0000000077df0220 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c8e400 5 bytes JMP 0000000077df0470 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c8e430 5 bytes JMP 0000000077df0390 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c8e510 5 bytes JMP 0000000077df02e0 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c8e520 5 bytes JMP 0000000077df0340 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c8e580 5 bytes JMP 0000000077df0280 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c8e610 1 byte JMP 0000000077df02a0 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c8e612 3 bytes {JMP 0x161c90} .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c8e630 1 byte JMP 0000000077df03c0 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c8e632 3 bytes {JMP 0x161d90} .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c8e640 5 bytes JMP 0000000077df0320 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c8e6b0 5 bytes JMP 0000000077df0400 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c8e6e0 5 bytes JMP 0000000077df0230 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c8e9a0 5 bytes JMP 0000000077df01d0 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c8ea60 5 bytes JMP 0000000077df0240 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c8ea90 5 bytes JMP 0000000077df0480 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c8eaa0 5 bytes JMP 0000000077df0490 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c8ead0 5 bytes JMP 0000000077df02f0 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c8eae0 5 bytes JMP 0000000077df0350 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c8eb40 5 bytes JMP 0000000077df0290 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c8eb90 5 bytes JMP 0000000077df02b0 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c8ebc0 5 bytes JMP 0000000077df0370 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c8ebd0 5 bytes JMP 0000000077df0330 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c8eec0 5 bytes JMP 0000000077df0430 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c8f0c0 1 byte JMP 0000000077df0250 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c8f0c2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c8f0d0 1 byte JMP 0000000077df0260 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c8f0d2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c8f0e0 5 bytes JMP 0000000077df03f0 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c8f2a0 5 bytes JMP 0000000077df01e0 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c8f2b0 5 bytes JMP 0000000077df0200 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c8f320 5 bytes JMP 0000000077df01f0 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c8f380 1 byte JMP 0000000077df0410 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077c8f382 3 bytes {JMP 0x161090} .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c8f390 1 byte JMP 0000000077df0420 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077c8f392 3 bytes {JMP 0x161090} .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c8f3a0 5 bytes JMP 0000000077df0210 .text C:\Windows\system32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c8f480 5 bytes JMP 0000000077df0270 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c8dc60 5 bytes JMP 0000000077df0450 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c8dcb0 1 byte JMP 0000000077df0440 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077c8dcb2 3 bytes {JMP 0x162790} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c8de10 5 bytes JMP 0000000077df0360 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c8de60 5 bytes JMP 0000000077df0460 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c8de70 5 bytes JMP 0000000077df03d0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c8df20 5 bytes JMP 0000000077df0310 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c8df50 5 bytes JMP 0000000077df03a0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c8df70 5 bytes JMP 0000000077df0380 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c8dfb0 5 bytes JMP 0000000077df02d0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c8e030 1 byte JMP 0000000077df02c0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c8e032 3 bytes {JMP 0x162290} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c8e050 5 bytes JMP 0000000077df0300 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c8e090 5 bytes JMP 0000000077df03b0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c8e0e0 5 bytes JMP 0000000077df03e0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c8e240 5 bytes JMP 0000000077df0220 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c8e400 5 bytes JMP 0000000077df0470 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c8e430 5 bytes JMP 0000000077df0390 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c8e510 5 bytes JMP 0000000077df02e0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c8e520 5 bytes JMP 0000000077df0340 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c8e580 5 bytes JMP 0000000077df0280 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c8e610 1 byte JMP 0000000077df02a0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c8e612 3 bytes {JMP 0x161c90} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c8e630 1 byte JMP 0000000077df03c0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c8e632 3 bytes {JMP 0x161d90} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c8e640 5 bytes JMP 0000000077df0320 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c8e6b0 5 bytes JMP 0000000077df0400 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c8e6e0 5 bytes JMP 0000000077df0230 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c8e9a0 5 bytes JMP 0000000077df01d0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c8ea60 5 bytes JMP 0000000077df0240 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c8ea90 5 bytes JMP 0000000077df0480 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c8eaa0 5 bytes JMP 0000000077df0490 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c8ead0 5 bytes JMP 0000000077df02f0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c8eae0 5 bytes JMP 0000000077df0350 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c8eb40 5 bytes JMP 0000000077df0290 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c8eb90 5 bytes JMP 0000000077df02b0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c8ebc0 5 bytes JMP 0000000077df0370 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c8ebd0 5 bytes JMP 0000000077df0330 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c8eec0 5 bytes JMP 0000000077df0430 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c8f0c0 1 byte JMP 0000000077df0250 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c8f0c2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c8f0d0 1 byte JMP 0000000077df0260 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c8f0d2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c8f0e0 5 bytes JMP 0000000077df03f0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c8f2a0 5 bytes JMP 0000000077df01e0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c8f2b0 5 bytes JMP 0000000077df0200 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c8f320 5 bytes JMP 0000000077df01f0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c8f380 1 byte JMP 0000000077df0410 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077c8f382 3 bytes {JMP 0x161090} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c8f390 1 byte JMP 0000000077df0420 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077c8f392 3 bytes {JMP 0x161090} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c8f3a0 5 bytes JMP 0000000077df0210 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c8f480 5 bytes JMP 0000000077df0270 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c8dc60 5 bytes JMP 0000000077df0450 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c8dcb0 1 byte JMP 0000000077df0440 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077c8dcb2 3 bytes {JMP 0x162790} .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c8de10 5 bytes JMP 0000000077df0360 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c8de60 5 bytes JMP 0000000077df0460 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c8de70 5 bytes JMP 0000000077df03d0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c8df20 5 bytes JMP 0000000077df0310 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c8df50 5 bytes JMP 0000000077df03a0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c8df70 5 bytes JMP 0000000077df0380 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c8dfb0 5 bytes JMP 0000000077df02d0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c8e030 1 byte JMP 0000000077df02c0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c8e032 3 bytes {JMP 0x162290} .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c8e050 5 bytes JMP 0000000077df0300 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c8e090 5 bytes JMP 0000000077df03b0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c8e0e0 5 bytes JMP 0000000077df03e0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c8e240 5 bytes JMP 0000000077df0220 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c8e400 5 bytes JMP 0000000077df0470 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c8e430 5 bytes JMP 0000000077df0390 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c8e510 5 bytes JMP 0000000077df02e0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c8e520 5 bytes JMP 0000000077df0340 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c8e580 5 bytes JMP 0000000077df0280 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c8e610 1 byte JMP 0000000077df02a0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c8e612 3 bytes {JMP 0x161c90} .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c8e630 1 byte JMP 0000000077df03c0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c8e632 3 bytes {JMP 0x161d90} .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c8e640 5 bytes JMP 0000000077df0320 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c8e6b0 5 bytes JMP 0000000077df0400 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c8e6e0 5 bytes JMP 0000000077df0230 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c8e9a0 5 bytes JMP 0000000077df01d0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c8ea60 5 bytes JMP 0000000077df0240 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c8ea90 5 bytes JMP 0000000077df0480 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c8eaa0 5 bytes JMP 0000000077df0490 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c8ead0 5 bytes JMP 0000000077df02f0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c8eae0 5 bytes JMP 0000000077df0350 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c8eb40 5 bytes JMP 0000000077df0290 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c8eb90 5 bytes JMP 0000000077df02b0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c8ebc0 5 bytes JMP 0000000077df0370 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c8ebd0 5 bytes JMP 0000000077df0330 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c8eec0 5 bytes JMP 0000000077df0430 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c8f0c0 1 byte JMP 0000000077df0250 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c8f0c2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c8f0d0 1 byte JMP 0000000077df0260 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c8f0d2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c8f0e0 5 bytes JMP 0000000077df03f0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c8f2a0 5 bytes JMP 0000000077df01e0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c8f2b0 5 bytes JMP 0000000077df0200 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c8f320 5 bytes JMP 0000000077df01f0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c8f380 1 byte JMP 0000000077df0410 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077c8f382 3 bytes {JMP 0x161090} .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c8f390 1 byte JMP 0000000077df0420 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077c8f392 3 bytes {JMP 0x161090} .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c8f3a0 5 bytes JMP 0000000077df0210 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c8f480 5 bytes JMP 0000000077df0270 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c8dc60 5 bytes JMP 0000000077df0450 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c8dcb0 1 byte JMP 0000000077df0440 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077c8dcb2 3 bytes {JMP 0x162790} .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c8de10 5 bytes JMP 0000000077df0360 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c8de60 5 bytes JMP 0000000077df0460 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c8de70 5 bytes JMP 0000000077df03d0 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c8df20 5 bytes JMP 0000000077df0310 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c8df50 5 bytes JMP 0000000077df03a0 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c8df70 5 bytes JMP 0000000077df0380 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c8dfb0 5 bytes JMP 0000000077df02d0 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c8e030 1 byte JMP 0000000077df02c0 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c8e032 3 bytes {JMP 0x162290} .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c8e050 5 bytes JMP 0000000077df0300 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c8e090 5 bytes JMP 0000000077df03b0 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c8e0e0 5 bytes JMP 0000000077df03e0 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c8e240 5 bytes JMP 0000000077df0220 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c8e400 5 bytes JMP 0000000077df0470 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c8e430 5 bytes JMP 0000000077df0390 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c8e510 5 bytes JMP 0000000077df02e0 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c8e520 5 bytes JMP 0000000077df0340 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c8e580 5 bytes JMP 0000000077df0280 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c8e610 1 byte JMP 0000000077df02a0 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c8e612 3 bytes {JMP 0x161c90} .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c8e630 1 byte JMP 0000000077df03c0 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c8e632 3 bytes {JMP 0x161d90} .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c8e640 5 bytes JMP 0000000077df0320 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c8e6b0 5 bytes JMP 0000000077df0400 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c8e6e0 5 bytes JMP 0000000077df0230 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c8e9a0 5 bytes JMP 0000000077df01d0 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c8ea60 5 bytes JMP 0000000077df0240 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c8ea90 5 bytes JMP 0000000077df0480 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c8eaa0 5 bytes JMP 0000000077df0490 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c8ead0 5 bytes JMP 0000000077df02f0 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c8eae0 5 bytes JMP 0000000077df0350 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c8eb40 5 bytes JMP 0000000077df0290 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c8eb90 5 bytes JMP 0000000077df02b0 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c8ebc0 5 bytes JMP 0000000077df0370 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c8ebd0 5 bytes JMP 0000000077df0330 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c8eec0 5 bytes JMP 0000000077df0430 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c8f0c0 1 byte JMP 0000000077df0250 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c8f0c2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c8f0d0 1 byte JMP 0000000077df0260 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c8f0d2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c8f0e0 5 bytes JMP 0000000077df03f0 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c8f2a0 5 bytes JMP 0000000077df01e0 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c8f2b0 5 bytes JMP 0000000077df0200 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c8f320 5 bytes JMP 0000000077df01f0 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c8f380 1 byte JMP 0000000077df0410 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077c8f382 3 bytes {JMP 0x161090} .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c8f390 1 byte JMP 0000000077df0420 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077c8f392 3 bytes {JMP 0x161090} .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c8f3a0 5 bytes JMP 0000000077df0210 .text C:\Windows\system32\svchost.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c8f480 5 bytes JMP 0000000077df0270 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c8dc60 5 bytes JMP 0000000000070450 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c8dcb0 1 byte JMP 0000000000070440 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077c8dcb2 3 bytes {JMP 0xffffffff883e2790} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c8de10 5 bytes JMP 0000000000070360 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c8de60 5 bytes JMP 0000000000070460 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c8de70 5 bytes JMP 00000000000703d0 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c8df20 5 bytes JMP 0000000000070310 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c8df50 5 bytes JMP 00000000000703a0 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c8df70 5 bytes JMP 0000000000070380 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c8dfb0 5 bytes JMP 00000000000702d0 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c8e030 1 byte JMP 00000000000702c0 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c8e032 3 bytes {JMP 0xffffffff883e2290} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c8e050 5 bytes JMP 0000000000070300 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c8e090 5 bytes JMP 00000000000703b0 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c8e0e0 5 bytes JMP 00000000000703e0 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c8e240 5 bytes JMP 0000000000070220 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c8e400 5 bytes JMP 0000000000070470 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c8e430 5 bytes JMP 0000000000070390 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c8e510 5 bytes JMP 00000000000702e0 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c8e520 5 bytes JMP 0000000000070340 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c8e580 5 bytes JMP 0000000000070280 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c8e610 1 byte JMP 00000000000702a0 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c8e612 3 bytes {JMP 0xffffffff883e1c90} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c8e630 1 byte JMP 00000000000703c0 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c8e632 3 bytes {JMP 0xffffffff883e1d90} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c8e640 5 bytes JMP 0000000000070320 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c8e6b0 5 bytes JMP 0000000000070400 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c8e6e0 5 bytes JMP 0000000000070230 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c8e9a0 5 bytes JMP 00000000000701d0 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c8ea60 5 bytes JMP 0000000000070240 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c8ea90 5 bytes JMP 0000000000070480 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c8eaa0 5 bytes JMP 0000000000070490 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c8ead0 5 bytes JMP 00000000000702f0 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c8eae0 5 bytes JMP 0000000000070350 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c8eb40 5 bytes JMP 0000000000070290 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c8eb90 5 bytes JMP 00000000000702b0 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c8ebc0 5 bytes JMP 0000000000070370 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c8ebd0 5 bytes JMP 0000000000070330 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c8eec0 5 bytes JMP 0000000000070430 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c8f0c0 1 byte JMP 0000000000070250 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c8f0c2 3 bytes {JMP 0xffffffff883e1190} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c8f0d0 1 byte JMP 0000000000070260 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c8f0d2 3 bytes {JMP 0xffffffff883e1190} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c8f0e0 5 bytes JMP 00000000000703f0 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c8f2a0 5 bytes JMP 00000000000701e0 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c8f2b0 5 bytes JMP 0000000000070200 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c8f320 5 bytes JMP 00000000000701f0 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c8f380 1 byte JMP 0000000000070410 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077c8f382 3 bytes {JMP 0xffffffff883e1090} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c8f390 1 byte JMP 0000000000070420 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077c8f392 3 bytes {JMP 0xffffffff883e1090} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c8f3a0 5 bytes JMP 0000000000070210 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c8f480 5 bytes JMP 0000000000070270 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c8dc60 5 bytes JMP 0000000077df0450 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c8dcb0 1 byte JMP 0000000077df0440 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077c8dcb2 3 bytes {JMP 0x162790} .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c8de10 5 bytes JMP 0000000077df0360 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c8de60 5 bytes JMP 0000000077df0460 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c8de70 5 bytes JMP 0000000077df03d0 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c8df20 5 bytes JMP 0000000077df0310 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c8df50 5 bytes JMP 0000000077df03a0 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c8df70 5 bytes JMP 0000000077df0380 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c8dfb0 5 bytes JMP 0000000077df02d0 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c8e030 1 byte JMP 0000000077df02c0 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c8e032 3 bytes {JMP 0x162290} .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c8e050 5 bytes JMP 0000000077df0300 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c8e090 5 bytes JMP 0000000077df03b0 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c8e0e0 5 bytes JMP 0000000077df03e0 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c8e240 5 bytes JMP 0000000077df0220 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c8e400 5 bytes JMP 0000000077df0470 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c8e430 5 bytes JMP 0000000077df0390 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c8e510 5 bytes JMP 0000000077df02e0 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c8e520 5 bytes JMP 0000000077df0340 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c8e580 5 bytes JMP 0000000077df0280 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c8e610 1 byte JMP 0000000077df02a0 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c8e612 3 bytes {JMP 0x161c90} .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c8e630 1 byte JMP 0000000077df03c0 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c8e632 3 bytes {JMP 0x161d90} .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c8e640 5 bytes JMP 0000000077df0320 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c8e6b0 5 bytes JMP 0000000077df0400 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c8e6e0 5 bytes JMP 0000000077df0230 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c8e9a0 5 bytes JMP 0000000077df01d0 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c8ea60 5 bytes JMP 0000000077df0240 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c8ea90 5 bytes JMP 0000000077df0480 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c8eaa0 5 bytes JMP 0000000077df0490 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c8ead0 5 bytes JMP 0000000077df02f0 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c8eae0 5 bytes JMP 0000000077df0350 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c8eb40 5 bytes JMP 0000000077df0290 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c8eb90 5 bytes JMP 0000000077df02b0 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c8ebc0 5 bytes JMP 0000000077df0370 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c8ebd0 5 bytes JMP 0000000077df0330 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c8eec0 5 bytes JMP 0000000077df0430 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c8f0c0 1 byte JMP 0000000077df0250 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c8f0c2 3 bytes {JMP 0x161190} .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c8f0d0 1 byte JMP 0000000077df0260 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c8f0d2 3 bytes {JMP 0x161190} .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c8f0e0 5 bytes JMP 0000000077df03f0 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c8f2a0 5 bytes JMP 0000000077df01e0 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c8f2b0 5 bytes JMP 0000000077df0200 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c8f320 5 bytes JMP 0000000077df01f0 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c8f380 1 byte JMP 0000000077df0410 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077c8f382 3 bytes {JMP 0x161090} .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c8f390 1 byte JMP 0000000077df0420 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077c8f392 3 bytes {JMP 0x161090} .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c8f3a0 5 bytes JMP 0000000077df0210 .text C:\Windows\System32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c8f480 5 bytes JMP 0000000077df0270 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c8dc60 5 bytes JMP 0000000077df0450 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c8dcb0 1 byte JMP 0000000077df0440 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077c8dcb2 3 bytes {JMP 0x162790} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c8de10 5 bytes JMP 0000000077df0360 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c8de60 5 bytes JMP 0000000077df0460 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c8de70 5 bytes JMP 0000000077df03d0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c8df20 5 bytes JMP 0000000077df0310 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c8df50 5 bytes JMP 0000000077df03a0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c8df70 5 bytes JMP 0000000077df0380 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c8dfb0 5 bytes JMP 0000000077df02d0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c8e030 1 byte JMP 0000000077df02c0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c8e032 3 bytes {JMP 0x162290} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c8e050 5 bytes JMP 0000000077df0300 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c8e090 5 bytes JMP 0000000077df03b0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c8e0e0 5 bytes JMP 0000000077df03e0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c8e240 5 bytes JMP 0000000077df0220 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c8e400 5 bytes JMP 0000000077df0470 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c8e430 5 bytes JMP 0000000077df0390 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c8e510 5 bytes JMP 0000000077df02e0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c8e520 5 bytes JMP 0000000077df0340 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c8e580 5 bytes JMP 0000000077df0280 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c8e610 1 byte JMP 0000000077df02a0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c8e612 3 bytes {JMP 0x161c90} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c8e630 1 byte JMP 0000000077df03c0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c8e632 3 bytes {JMP 0x161d90} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c8e640 5 bytes JMP 0000000077df0320 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c8e6b0 5 bytes JMP 0000000077df0400 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c8e6e0 5 bytes JMP 0000000077df0230 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c8e9a0 5 bytes JMP 0000000077df01d0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c8ea60 5 bytes JMP 0000000077df0240 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c8ea90 5 bytes JMP 0000000077df0480 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c8eaa0 5 bytes JMP 0000000077df0490 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c8ead0 5 bytes JMP 0000000077df02f0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c8eae0 5 bytes JMP 0000000077df0350 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c8eb40 5 bytes JMP 0000000077df0290 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c8eb90 5 bytes JMP 0000000077df02b0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c8ebc0 5 bytes JMP 0000000077df0370 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c8ebd0 5 bytes JMP 0000000077df0330 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c8eec0 5 bytes JMP 0000000077df0430 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c8f0c0 1 byte JMP 0000000077df0250 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c8f0c2 3 bytes {JMP 0x161190} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c8f0d0 1 byte JMP 0000000077df0260 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c8f0d2 3 bytes {JMP 0x161190} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c8f0e0 5 bytes JMP 0000000077df03f0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c8f2a0 5 bytes JMP 0000000077df01e0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c8f2b0 5 bytes JMP 0000000077df0200 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c8f320 5 bytes JMP 0000000077df01f0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c8f380 1 byte JMP 0000000077df0410 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077c8f382 3 bytes {JMP 0x161090} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c8f390 1 byte JMP 0000000077df0420 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077c8f392 3 bytes {JMP 0x161090} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c8f3a0 5 bytes JMP 0000000077df0210 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c8f480 5 bytes JMP 0000000077df0270 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c8dc60 5 bytes JMP 0000000077df0450 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c8dcb0 1 byte JMP 0000000077df0440 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077c8dcb2 3 bytes {JMP 0x162790} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c8de10 5 bytes JMP 0000000077df0360 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c8de60 5 bytes JMP 0000000077df0460 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c8de70 5 bytes JMP 0000000077df03d0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c8df20 5 bytes JMP 0000000077df0310 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c8df50 5 bytes JMP 0000000077df03a0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c8df70 5 bytes JMP 0000000077df0380 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c8dfb0 5 bytes JMP 0000000077df02d0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c8e030 1 byte JMP 0000000077df02c0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c8e032 3 bytes {JMP 0x162290} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c8e050 5 bytes JMP 0000000077df0300 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c8e090 5 bytes JMP 0000000077df03b0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c8e0e0 5 bytes JMP 0000000077df03e0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c8e240 5 bytes JMP 0000000077df0220 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c8e400 5 bytes JMP 0000000077df0470 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c8e430 5 bytes JMP 0000000077df0390 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c8e510 5 bytes JMP 0000000077df02e0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c8e520 5 bytes JMP 0000000077df0340 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c8e580 5 bytes JMP 0000000077df0280 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c8e610 1 byte JMP 0000000077df02a0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c8e612 3 bytes {JMP 0x161c90} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c8e630 1 byte JMP 0000000077df03c0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c8e632 3 bytes {JMP 0x161d90} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c8e640 5 bytes JMP 0000000077df0320 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c8e6b0 5 bytes JMP 0000000077df0400 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c8e6e0 5 bytes JMP 0000000077df0230 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c8e9a0 5 bytes JMP 0000000077df01d0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c8ea60 5 bytes JMP 0000000077df0240 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c8ea90 5 bytes JMP 0000000077df0480 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c8eaa0 5 bytes JMP 0000000077df0490 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c8ead0 5 bytes JMP 0000000077df02f0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c8eae0 5 bytes JMP 0000000077df0350 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c8eb40 5 bytes JMP 0000000077df0290 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c8eb90 5 bytes JMP 0000000077df02b0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c8ebc0 5 bytes JMP 0000000077df0370 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c8ebd0 5 bytes JMP 0000000077df0330 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c8eec0 5 bytes JMP 0000000077df0430 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c8f0c0 1 byte JMP 0000000077df0250 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c8f0c2 3 bytes {JMP 0x161190} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c8f0d0 1 byte JMP 0000000077df0260 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c8f0d2 3 bytes {JMP 0x161190} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c8f0e0 5 bytes JMP 0000000077df03f0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c8f2a0 5 bytes JMP 0000000077df01e0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c8f2b0 5 bytes JMP 0000000077df0200 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c8f320 5 bytes JMP 0000000077df01f0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c8f380 1 byte JMP 0000000077df0410 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077c8f382 3 bytes {JMP 0x161090} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c8f390 1 byte JMP 0000000077df0420 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077c8f392 3 bytes {JMP 0x161090} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c8f3a0 5 bytes JMP 0000000077df0210 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c8f480 5 bytes JMP 0000000077df0270 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c8dc60 5 bytes JMP 0000000077df0450 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c8dcb0 1 byte JMP 0000000077df0440 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077c8dcb2 3 bytes {JMP 0x162790} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c8de10 5 bytes JMP 0000000077df0360 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c8de60 5 bytes JMP 0000000077df0460 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c8de70 5 bytes JMP 0000000077df03d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c8df20 5 bytes JMP 0000000077df0310 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c8df50 5 bytes JMP 0000000077df03a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c8df70 5 bytes JMP 0000000077df0380 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c8dfb0 5 bytes JMP 0000000077df02d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c8e030 1 byte JMP 0000000077df02c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c8e032 3 bytes {JMP 0x162290} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c8e050 5 bytes JMP 0000000077df0300 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c8e090 5 bytes JMP 0000000077df03b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c8e0e0 5 bytes JMP 0000000077df03e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c8e240 5 bytes JMP 0000000077df0220 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c8e400 5 bytes JMP 0000000077df0470 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c8e430 5 bytes JMP 0000000077df0390 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c8e510 5 bytes JMP 0000000077df02e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c8e520 5 bytes JMP 0000000077df0340 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c8e580 5 bytes JMP 0000000077df0280 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c8e610 1 byte JMP 0000000077df02a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c8e612 3 bytes {JMP 0x161c90} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c8e630 1 byte JMP 0000000077df03c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c8e632 3 bytes {JMP 0x161d90} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c8e640 5 bytes JMP 0000000077df0320 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c8e6b0 5 bytes JMP 0000000077df0400 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c8e6e0 5 bytes JMP 0000000077df0230 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c8e9a0 5 bytes JMP 0000000077df01d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c8ea60 5 bytes JMP 0000000077df0240 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c8ea90 5 bytes JMP 0000000077df0480 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c8eaa0 5 bytes JMP 0000000077df0490 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c8ead0 5 bytes JMP 0000000077df02f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c8eae0 5 bytes JMP 0000000077df0350 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c8eb40 5 bytes JMP 0000000077df0290 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c8eb90 5 bytes JMP 0000000077df02b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c8ebc0 5 bytes JMP 0000000077df0370 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c8ebd0 5 bytes JMP 0000000077df0330 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c8eec0 5 bytes JMP 0000000077df0430 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c8f0c0 1 byte JMP 0000000077df0250 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c8f0c2 3 bytes {JMP 0x161190} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c8f0d0 1 byte JMP 0000000077df0260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c8f0d2 3 bytes {JMP 0x161190} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c8f0e0 5 bytes JMP 0000000077df03f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c8f2a0 5 bytes JMP 0000000077df01e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c8f2b0 5 bytes JMP 0000000077df0200 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c8f320 5 bytes JMP 0000000077df01f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c8f380 1 byte JMP 0000000077df0410 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077c8f382 3 bytes {JMP 0x161090} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c8f390 1 byte JMP 0000000077df0420 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077c8f392 3 bytes {JMP 0x161090} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c8f3a0 5 bytes JMP 0000000077df0210 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c8f480 5 bytes JMP 0000000077df0270 .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000766b1401 2 bytes JMP 76ddb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3048] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000766b1419 2 bytes JMP 76ddb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000766b1431 2 bytes JMP 76e58f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000766b144a 2 bytes CALL 76db489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3048] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766b14dd 2 bytes JMP 76e58822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766b14f5 2 bytes JMP 76e589f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3048] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000766b150d 2 bytes JMP 76e58718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000766b1525 2 bytes JMP 76e58ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000766b153d 2 bytes JMP 76dcfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3048] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000766b1555 2 bytes JMP 76dd68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000766b156d 2 bytes JMP 76e58fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000766b1585 2 bytes JMP 76e58b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3048] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000766b159d 2 bytes JMP 76e586dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766b15b5 2 bytes JMP 76dcfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766b15cd 2 bytes JMP 76ddb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766b16b2 2 bytes JMP 76e58ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766b16bd 2 bytes JMP 76e58671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c8dc60 5 bytes JMP 0000000077df0450 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c8dcb0 1 byte JMP 0000000077df0440 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077c8dcb2 3 bytes {JMP 0x162790} .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c8de10 5 bytes JMP 0000000077df0360 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c8de60 5 bytes JMP 0000000077df0460 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c8de70 5 bytes JMP 0000000077df03d0 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c8df20 5 bytes JMP 0000000077df0310 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c8df50 5 bytes JMP 0000000077df03a0 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c8df70 5 bytes JMP 0000000077df0380 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c8dfb0 5 bytes JMP 0000000077df02d0 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c8e030 1 byte JMP 0000000077df02c0 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c8e032 3 bytes {JMP 0x162290} .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c8e050 5 bytes JMP 0000000077df0300 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c8e090 5 bytes JMP 0000000077df03b0 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c8e0e0 5 bytes JMP 0000000077df03e0 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c8e240 5 bytes JMP 0000000077df0220 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c8e400 5 bytes JMP 0000000077df0470 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c8e430 5 bytes JMP 0000000077df0390 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c8e510 5 bytes JMP 0000000077df02e0 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c8e520 5 bytes JMP 0000000077df0340 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c8e580 5 bytes JMP 0000000077df0280 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c8e610 1 byte JMP 0000000077df02a0 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c8e612 3 bytes {JMP 0x161c90} .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c8e630 1 byte JMP 0000000077df03c0 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c8e632 3 bytes {JMP 0x161d90} .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c8e640 5 bytes JMP 0000000077df0320 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c8e6b0 5 bytes JMP 0000000077df0400 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c8e6e0 5 bytes JMP 0000000077df0230 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c8e9a0 5 bytes JMP 0000000077df01d0 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c8ea60 5 bytes JMP 0000000077df0240 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c8ea90 5 bytes JMP 0000000077df0480 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c8eaa0 5 bytes JMP 0000000077df0490 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c8ead0 5 bytes JMP 0000000077df02f0 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c8eae0 5 bytes JMP 0000000077df0350 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c8eb40 5 bytes JMP 0000000077df0290 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c8eb90 5 bytes JMP 0000000077df02b0 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c8ebc0 5 bytes JMP 0000000077df0370 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c8ebd0 5 bytes JMP 0000000077df0330 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c8eec0 5 bytes JMP 0000000077df0430 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c8f0c0 1 byte JMP 0000000077df0250 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c8f0c2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c8f0d0 1 byte JMP 0000000077df0260 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c8f0d2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c8f0e0 5 bytes JMP 0000000077df03f0 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c8f2a0 5 bytes JMP 0000000077df01e0 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c8f2b0 5 bytes JMP 0000000077df0200 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c8f320 5 bytes JMP 0000000077df01f0 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c8f380 1 byte JMP 0000000077df0410 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077c8f382 3 bytes {JMP 0x161090} .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c8f390 1 byte JMP 0000000077df0420 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077c8f392 3 bytes {JMP 0x161090} .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c8f3a0 5 bytes JMP 0000000077df0210 .text C:\Windows\system32\svchost.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c8f480 5 bytes JMP 0000000077df0270 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4260] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076db8781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c8dc60 5 bytes JMP 0000000000070450 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c8dcb0 1 byte JMP 0000000000070440 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077c8dcb2 3 bytes {JMP 0xffffffff883e2790} .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c8de10 5 bytes JMP 0000000000070360 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c8de60 5 bytes JMP 0000000000070460 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c8de70 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c8df20 5 bytes JMP 0000000000070310 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c8df50 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c8df70 5 bytes JMP 0000000000070380 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c8dfb0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c8e030 1 byte JMP 00000000000702c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c8e032 3 bytes {JMP 0xffffffff883e2290} .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c8e050 5 bytes JMP 0000000000070300 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c8e090 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c8e0e0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c8e240 5 bytes JMP 0000000000070220 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c8e400 5 bytes JMP 0000000000070470 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c8e430 5 bytes JMP 0000000000070390 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c8e510 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c8e520 5 bytes JMP 0000000000070340 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c8e580 5 bytes JMP 0000000000070280 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c8e610 1 byte JMP 00000000000702a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c8e612 3 bytes {JMP 0xffffffff883e1c90} .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c8e630 1 byte JMP 00000000000703c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c8e632 3 bytes {JMP 0xffffffff883e1d90} .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c8e640 5 bytes JMP 0000000000070320 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c8e6b0 5 bytes JMP 0000000000070400 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c8e6e0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c8e9a0 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c8ea60 5 bytes JMP 0000000000070240 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c8ea90 5 bytes JMP 0000000000070480 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c8eaa0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c8ead0 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c8eae0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c8eb40 5 bytes JMP 0000000000070290 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c8eb90 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c8ebc0 5 bytes JMP 0000000000070370 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c8ebd0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c8eec0 5 bytes JMP 0000000000070430 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c8f0c0 1 byte JMP 0000000000070250 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c8f0c2 3 bytes {JMP 0xffffffff883e1190} .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c8f0d0 1 byte JMP 0000000000070260 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c8f0d2 3 bytes {JMP 0xffffffff883e1190} .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c8f0e0 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c8f2a0 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c8f2b0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c8f320 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c8f380 1 byte JMP 0000000000070410 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077c8f382 3 bytes {JMP 0xffffffff883e1090} .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c8f390 1 byte JMP 0000000000070420 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077c8f392 3 bytes {JMP 0xffffffff883e1090} .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c8f3a0 5 bytes JMP 0000000000070210 .text C:\Windows\system32\wbem\wmiprvse.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c8f480 5 bytes JMP 0000000000070270 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000766b1401 2 bytes JMP 76ddb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3068] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000766b1419 2 bytes JMP 76ddb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000766b1431 2 bytes JMP 76e58f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000766b144a 2 bytes CALL 76db489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3068] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766b14dd 2 bytes JMP 76e58822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766b14f5 2 bytes JMP 76e589f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3068] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000766b150d 2 bytes JMP 76e58718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000766b1525 2 bytes JMP 76e58ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000766b153d 2 bytes JMP 76dcfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3068] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000766b1555 2 bytes JMP 76dd68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000766b156d 2 bytes JMP 76e58fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000766b1585 2 bytes JMP 76e58b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3068] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000766b159d 2 bytes JMP 76e586dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766b15b5 2 bytes JMP 76dcfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766b15cd 2 bytes JMP 76ddb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766b16b2 2 bytes JMP 76e58ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766b16bd 2 bytes JMP 76e58671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c8dc60 5 bytes JMP 0000000077df0450 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c8dcb0 1 byte JMP 0000000077df0440 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077c8dcb2 3 bytes {JMP 0x162790} .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c8de10 5 bytes JMP 0000000077df0360 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c8de60 5 bytes JMP 0000000077df0460 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c8de70 5 bytes JMP 0000000077df03d0 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c8df20 5 bytes JMP 0000000077df0310 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c8df50 5 bytes JMP 0000000077df03a0 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c8df70 5 bytes JMP 0000000077df0380 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c8dfb0 5 bytes JMP 0000000077df02d0 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c8e030 1 byte JMP 0000000077df02c0 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c8e032 3 bytes {JMP 0x162290} .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c8e050 5 bytes JMP 0000000077df0300 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c8e090 5 bytes JMP 0000000077df03b0 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c8e0e0 5 bytes JMP 0000000077df03e0 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c8e240 5 bytes JMP 0000000077df0220 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c8e400 5 bytes JMP 0000000077df0470 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c8e430 5 bytes JMP 0000000077df0390 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c8e510 5 bytes JMP 0000000077df02e0 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c8e520 5 bytes JMP 0000000077df0340 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c8e580 5 bytes JMP 0000000077df0280 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c8e610 1 byte JMP 0000000077df02a0 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c8e612 3 bytes {JMP 0x161c90} .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c8e630 1 byte JMP 0000000077df03c0 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c8e632 3 bytes {JMP 0x161d90} .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c8e640 5 bytes JMP 0000000077df0320 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c8e6b0 5 bytes JMP 0000000077df0400 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c8e6e0 5 bytes JMP 0000000077df0230 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c8e9a0 5 bytes JMP 0000000077df01d0 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c8ea60 5 bytes JMP 0000000077df0240 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c8ea90 5 bytes JMP 0000000077df0480 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c8eaa0 5 bytes JMP 0000000077df0490 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c8ead0 5 bytes JMP 0000000077df02f0 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c8eae0 5 bytes JMP 0000000077df0350 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c8eb40 5 bytes JMP 0000000077df0290 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c8eb90 5 bytes JMP 0000000077df02b0 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c8ebc0 5 bytes JMP 0000000077df0370 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c8ebd0 5 bytes JMP 0000000077df0330 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c8eec0 5 bytes JMP 0000000077df0430 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c8f0c0 1 byte JMP 0000000077df0250 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c8f0c2 3 bytes {JMP 0x161190} .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c8f0d0 1 byte JMP 0000000077df0260 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c8f0d2 3 bytes {JMP 0x161190} .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c8f0e0 5 bytes JMP 0000000077df03f0 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c8f2a0 5 bytes JMP 0000000077df01e0 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c8f2b0 5 bytes JMP 0000000077df0200 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c8f320 5 bytes JMP 0000000077df01f0 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c8f380 1 byte JMP 0000000077df0410 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077c8f382 3 bytes {JMP 0x161090} .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c8f390 1 byte JMP 0000000077df0420 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077c8f392 3 bytes {JMP 0x161090} .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c8f3a0 5 bytes JMP 0000000077df0210 .text C:\Windows\system32\SearchIndexer.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c8f480 5 bytes JMP 0000000077df0270 ---- Threads - GMER 2.2 ---- Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2484] 0000000077e61415 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2492] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2496] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2500] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2504] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2508] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2512] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2516] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2520] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2524] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2780] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:780] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2176] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2800] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:500] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:756] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:1660] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2860] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2856] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2552] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2360] 0000000077e72855 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:3088] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2932] 0000000077e72855 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:3968] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:5032] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:1816] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2352] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:4816] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:1376] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:5748] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:2436] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:4236] 0000000071fc29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2220:1168] 0000000071fc29e1 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4e3fc80 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@1474115f58f5 0xD5 0x9F 0x05 0x4F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@001edc9066b1 0xB4 0xD4 0x86 0x04 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@001a8ab10ce4 0x41 0x0E 0x0E 0x1B ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@001f5cacfe1b 0xB5 0x87 0x72 0x78 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@ac81f3b2b51a 0x7A 0x5F 0x33 0xFB ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@0019b74a1e33 0x6A 0xCB 0x81 0x95 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@e839df59129c 0x6A 0x86 0x38 0x07 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@68ed438d527e 0xB3 0x67 0x56 0x06 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4e3fc80 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@1474115f58f5 0xD5 0x9F 0x05 0x4F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@001edc9066b1 0xB4 0xD4 0x86 0x04 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@001a8ab10ce4 0x41 0x0E 0x0E 0x1B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@001f5cacfe1b 0xB5 0x87 0x72 0x78 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@ac81f3b2b51a 0x7A 0x5F 0x33 0xFB ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@0019b74a1e33 0x6A 0xCB 0x81 0x95 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@e839df59129c 0x6A 0x86 0x38 0x07 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@68ed438d527e 0xB3 0x67 0x56 0x06 ... ---- EOF - GMER 2.2 ----