GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-24 09:24:04 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 WDC_WD10EARX-00N0YB0 rev.51.0AB51 931,51GB Running: 5npmtu0l.exe; Driver: C:\Users\Adam\AppData\Local\Temp\pwtyqpow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 0000000000120480 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 0000000000120470 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 0000000000120360 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 0000000000120490 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000001203d0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 0000000000120310 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0xffffffff88ecec90} .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000001203a0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 0000000000120380 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000001202d0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000001202c0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 0000000000120300 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000001203b0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 0000000000120440 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000001203e0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 0000000000120220 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000001204a0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 0000000000120390 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000001202e0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 0000000000120340 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 0000000000120280 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000001202a0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000001203c0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 0000000000120320 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 0000000000120410 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 0000000000120230 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000001203f0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000001201d0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 0000000000120240 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000001204b0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000001204c0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000001202f0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 0000000000120350 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 0000000000120290 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000001202b0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 0000000000120370 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 0000000000120330 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 0000000000120460 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 0000000000120420 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 0000000000120250 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 0000000000120260 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 0000000000120400 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000001201e0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 0000000000120200 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000001201f0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 0000000000120430 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 0000000000120450 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 0000000000120210 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 0000000000120270 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0xffffffff88ecd690} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 0000000000120480 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 0000000000120470 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 0000000000120360 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 0000000000120490 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000001203d0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 0000000000120310 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0xffffffff88ecec90} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000001203a0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 0000000000120380 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000001202d0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000001202c0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 0000000000120300 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000001203b0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 0000000000120440 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000001203e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 0000000000120220 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000001204a0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 0000000000120390 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000001202e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 0000000000120340 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 0000000000120280 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000001202a0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000001203c0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 0000000000120320 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 0000000000120410 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 0000000000120230 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000001203f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000001201d0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 0000000000120240 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000001204b0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000001204c0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000001202f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 0000000000120350 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 0000000000120290 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000001202b0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 0000000000120370 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 0000000000120330 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 0000000000120460 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 0000000000120420 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 0000000000120250 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 0000000000120260 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 0000000000120400 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000001201e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 0000000000120200 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000001201f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 0000000000120430 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 0000000000120450 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 0000000000120210 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 0000000000120270 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0xffffffff88ecd690} .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Windows\system32\services.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Windows\system32\lsass.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Windows\system32\lsm.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0xffffffff88e1ec90} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0xffffffff88e1d690} .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 0000000000070480 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 0000000000070470 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 0000000000070360 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 0000000000070490 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 0000000000070310 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0xffffffff88e1ec90} .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 0000000000070380 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000000702c0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 0000000000070300 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 0000000000070440 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 0000000000070220 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 0000000000070390 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 0000000000070340 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 0000000000070280 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000000702a0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000000703c0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 0000000000070320 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 0000000000070410 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 0000000000070230 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000000703f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000000701d0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 0000000000070240 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000000704b0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000000704c0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 0000000000070350 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 0000000000070290 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 0000000000070370 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 0000000000070330 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 0000000000070460 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 0000000000070420 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 0000000000070250 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 0000000000070260 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 0000000000070400 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 0000000000070200 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 0000000000070430 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 0000000000070450 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 0000000000070210 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 0000000000070270 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0xffffffff88e1d690} .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Windows\System32\svchost.exe[240] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0xffffffff88e1ec90} .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0xffffffff88e1d690} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0xffffffff88e1ec90} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0xffffffff88e1d690} .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Windows\system32\atieclxx.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Windows\system32\Dwm.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Windows\system32\taskeng.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2240] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000074d28799 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000000141465 2 bytes [14, 00] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000001414bb 2 bytes [14, 00] .text ... * 2 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Windows\system32\wbem\wmiprvse.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Windows\system32\svchost.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772513c0 5 bytes JMP 00000000773b0480 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077251410 5 bytes JMP 00000000773b0470 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077251570 5 bytes JMP 00000000773b0360 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772515c0 5 bytes JMP 00000000773b0490 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772515d0 5 bytes JMP 00000000773b03d0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077251680 1 byte JMP 00000000773b0310 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077251682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772516b0 5 bytes JMP 00000000773b03a0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772516d0 5 bytes JMP 00000000773b0380 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077251710 5 bytes JMP 00000000773b02d0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077251790 5 bytes JMP 00000000773b02c0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772517b0 5 bytes JMP 00000000773b0300 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772517f0 5 bytes JMP 00000000773b03b0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077251830 5 bytes JMP 00000000773b0440 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077251840 5 bytes JMP 00000000773b03e0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772519a0 5 bytes JMP 00000000773b0220 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077251b60 5 bytes JMP 00000000773b04a0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077251b90 5 bytes JMP 00000000773b0390 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077251c70 5 bytes JMP 00000000773b02e0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077251c80 5 bytes JMP 00000000773b0340 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077251ce0 5 bytes JMP 00000000773b0280 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077251d70 5 bytes JMP 00000000773b02a0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077251d90 5 bytes JMP 00000000773b03c0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077251da0 5 bytes JMP 00000000773b0320 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077251e10 5 bytes JMP 00000000773b0410 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077251e40 5 bytes JMP 00000000773b0230 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077251fe0 5 bytes JMP 00000000773b03f0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077252100 5 bytes JMP 00000000773b01d0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772521c0 5 bytes JMP 00000000773b0240 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772521f0 5 bytes JMP 00000000773b04b0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077252200 5 bytes JMP 00000000773b04c0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077252230 5 bytes JMP 00000000773b02f0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077252240 5 bytes JMP 00000000773b0350 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772522a0 5 bytes JMP 00000000773b0290 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772522f0 5 bytes JMP 00000000773b02b0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077252320 5 bytes JMP 00000000773b0370 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077252330 5 bytes JMP 00000000773b0330 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077252620 5 bytes JMP 00000000773b0460 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077252780 5 bytes JMP 00000000773b0420 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077252820 5 bytes JMP 00000000773b0250 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077252830 5 bytes JMP 00000000773b0260 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077252840 5 bytes JMP 00000000773b0400 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077252a00 5 bytes JMP 00000000773b01e0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077252a10 5 bytes JMP 00000000773b0200 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077252a80 5 bytes JMP 00000000773b01f0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077252ae0 5 bytes JMP 00000000773b0430 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077252af0 5 bytes JMP 00000000773b0450 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077252b00 5 bytes JMP 00000000773b0210 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077252be0 1 byte JMP 00000000773b0270 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077252be2 3 bytes {JMP 0x15d690} ---- Files - GMER 2.2 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000 0 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510 0 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e202945c-b8e9-11e4-995d-c8600056cbcd} 0 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e202945c-b8e9-11e4-995d-c8600056cbcd}\C 0 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e202945c-b8e9-11e4-995d-c8600056cbcd}\C\Users 0 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e202945c-b8e9-11e4-995d-c8600056cbcd}\C\Users\Filip&Adam 0 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e202945c-b8e9-11e4-995d-c8600056cbcd}\C\Users\Filip&Adam\AppData 0 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e202945c-b8e9-11e4-995d-c8600056cbcd}\C\Users\Filip&Adam\AppData\Roaming 0 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e202945c-b8e9-11e4-995d-c8600056cbcd}\C\Users\Filip&Adam\AppData\Roaming\.minecraft 0 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e202945c-b8e9-11e4-995d-c8600056cbcd}\C\Users\Filip&Adam\AppData\Roaming\.minecraft\launcher_profiles.json 3073 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e202945c-b8e9-11e4-995d-c8600056cbcd}\C\Users\Filip&Adam\AppData\Roaming\.minecraft\minecraft launcher 0 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e202945c-b8e9-11e4-995d-c8600056cbcd}\C\Users\Filip&Adam\AppData\Roaming\.minecraft\minecraft launcher\options.json 81 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e2029463-b8e9-11e4-995d-c8600056cbcd} 0 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e2029463-b8e9-11e4-995d-c8600056cbcd}\C 0 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e2029463-b8e9-11e4-995d-c8600056cbcd}\C\Users 0 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e2029463-b8e9-11e4-995d-c8600056cbcd}\C\Users\Filip&Adam 0 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e2029463-b8e9-11e4-995d-c8600056cbcd}\C\Users\Filip&Adam\AppData 0 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e2029463-b8e9-11e4-995d-c8600056cbcd}\C\Users\Filip&Adam\AppData\Roaming 0 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e2029463-b8e9-11e4-995d-c8600056cbcd}\C\Users\Filip&Adam\AppData\Roaming\.minecraft 0 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e2029463-b8e9-11e4-995d-c8600056cbcd}\C\Users\Filip&Adam\AppData\Roaming\.minecraft\launcher_profiles.json 3073 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e2029463-b8e9-11e4-995d-c8600056cbcd}\C\Users\Filip&Adam\AppData\Roaming\.minecraft\minecraft launcher 0 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e2029463-b8e9-11e4-995d-c8600056cbcd}\C\Users\Filip&Adam\AppData\Roaming\.minecraft\minecraft launcher\Minecraft Update News.htm 18881 bytes File C:\avast! sandbox\S-1-5-21-1417445903-1827596930-4287722866-1000\r510\Minecraft.exe_{e2029463-b8e9-11e4-995d-c8600056cbcd}\C\Users\Filip&Adam\AppData\Roaming\.minecraft\minecraft launcher\options.json 81 bytes ---- EOF - GMER 2.2 ----