GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-24 14:06:11 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GT00 698,64GB Running: 316mxkdz.exe; Driver: C:\Users\kieras\AppData\Local\Temp\ffwdapob.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!EngSetLastError + 608 fffff960001258e0 8 bytes [CC, B0, 2D, 04, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000155200 7 bytes [C0, 73, F3, FF, 41, 83, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000155208 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774ada60 5 bytes JMP 00000000498e0480 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774adab0 5 bytes JMP 00000000498e0470 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774adc10 5 bytes JMP 00000000498e0360 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774adc60 5 bytes JMP 00000000498e0490 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774adc70 5 bytes JMP 00000000498e03d0 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774add20 5 bytes JMP 00000000498e0310 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774add50 5 bytes JMP 00000000498e03a0 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774add70 5 bytes JMP 00000000498e0380 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774addb0 5 bytes JMP 00000000498e02d0 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774ade30 1 byte JMP 00000000498e02c0 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000774ade32 3 bytes {JMP 0xffffffffd2432490} .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774ade50 5 bytes JMP 00000000498e0300 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774ade90 5 bytes JMP 00000000498e03b0 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774aded0 5 bytes JMP 00000000498e0440 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774adee0 5 bytes JMP 00000000498e03e0 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774ae040 5 bytes JMP 00000000498e0220 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774ae200 5 bytes JMP 00000000498e04a0 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774ae230 5 bytes JMP 00000000498e0390 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774ae310 5 bytes JMP 00000000498e02e0 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774ae320 5 bytes JMP 00000000498e0340 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774ae380 5 bytes JMP 00000000498e0280 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774ae410 1 byte JMP 00000000498e02a0 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000774ae412 3 bytes {JMP 0xffffffffd2431e90} .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ae430 1 byte JMP 00000000498e03c0 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000774ae432 3 bytes {JMP 0xffffffffd2431f90} .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774ae440 5 bytes JMP 00000000498e0320 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774ae4b0 5 bytes JMP 00000000498e0410 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774ae4e0 5 bytes JMP 00000000498e0230 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ae680 5 bytes JMP 00000000498e03f0 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774ae7a0 5 bytes JMP 00000000498e01d0 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774ae860 5 bytes JMP 00000000498e0240 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774ae890 5 bytes JMP 00000000498e04b0 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774ae8a0 5 bytes JMP 00000000498e04c0 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774ae8d0 5 bytes JMP 00000000498e02f0 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774ae8e0 5 bytes JMP 00000000498e0350 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774ae940 5 bytes JMP 00000000498e0290 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774ae990 5 bytes JMP 00000000498e02b0 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774ae9c0 5 bytes JMP 00000000498e0370 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774ae9d0 5 bytes JMP 00000000498e0330 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774aecc0 5 bytes JMP 00000000498e0460 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774aee20 5 bytes JMP 00000000498e0420 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774aeec0 1 byte JMP 00000000498e0250 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000774aeec2 3 bytes {JMP 0xffffffffd2431390} .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774aeed0 1 byte JMP 00000000498e0260 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000774aeed2 3 bytes {JMP 0xffffffffd2431390} .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774aeee0 5 bytes JMP 00000000498e0400 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774af0a0 5 bytes JMP 00000000498e01e0 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774af0b0 5 bytes JMP 00000000498e0200 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774af120 5 bytes JMP 00000000498e01f0 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774af180 5 bytes JMP 00000000498e0430 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774af190 5 bytes JMP 00000000498e0450 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774af1a0 5 bytes JMP 00000000498e0210 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774af280 5 bytes JMP 00000000498e0270 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774ada60 5 bytes JMP 0000000000070480 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774adab0 5 bytes JMP 0000000000070470 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774adc10 5 bytes JMP 0000000000070360 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774adc60 5 bytes JMP 0000000000070490 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774adc70 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774add20 5 bytes JMP 0000000000070310 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774add50 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774add70 5 bytes JMP 0000000000070380 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774addb0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774ade30 1 byte JMP 00000000000702c0 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000774ade32 3 bytes {JMP 0xffffffff88bc2490} .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774ade50 5 bytes JMP 0000000000070300 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774ade90 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774aded0 5 bytes JMP 0000000000070440 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774adee0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774ae040 5 bytes JMP 0000000000070220 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774ae200 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774ae230 5 bytes JMP 0000000000070390 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774ae310 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774ae320 5 bytes JMP 0000000000070340 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774ae380 5 bytes JMP 0000000000070280 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774ae410 1 byte JMP 00000000000702a0 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000774ae412 3 bytes {JMP 0xffffffff88bc1e90} .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ae430 1 byte JMP 00000000000703c0 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000774ae432 3 bytes {JMP 0xffffffff88bc1f90} .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774ae440 5 bytes JMP 0000000000070320 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774ae4b0 5 bytes JMP 0000000000070410 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774ae4e0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ae680 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774ae7a0 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774ae860 5 bytes JMP 0000000000070240 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774ae890 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774ae8a0 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774ae8d0 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774ae8e0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774ae940 5 bytes JMP 0000000000070290 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774ae990 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774ae9c0 5 bytes JMP 0000000000070370 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774ae9d0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774aecc0 5 bytes JMP 0000000000070460 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774aee20 5 bytes JMP 0000000000070420 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774aeec0 1 byte JMP 0000000000070250 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000774aeec2 3 bytes {JMP 0xffffffff88bc1390} .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774aeed0 1 byte JMP 0000000000070260 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000774aeed2 3 bytes {JMP 0xffffffff88bc1390} .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774aeee0 5 bytes JMP 0000000000070400 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774af0a0 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774af0b0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774af120 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774af180 5 bytes JMP 0000000000070430 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774af190 5 bytes JMP 0000000000070450 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774af1a0 5 bytes JMP 0000000000070210 .text C:\Windows\system32\lsass.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774af280 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774ada60 5 bytes JMP 0000000077610480 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774adab0 5 bytes JMP 0000000077610470 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774adc10 5 bytes JMP 0000000077610360 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774adc60 5 bytes JMP 0000000077610490 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774adc70 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774add20 5 bytes JMP 0000000077610310 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774add50 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774add70 5 bytes JMP 0000000077610380 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774addb0 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774ade30 1 byte JMP 00000000776102c0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000774ade32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774ade50 5 bytes JMP 0000000077610300 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774ade90 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774aded0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774adee0 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774ae040 5 bytes JMP 0000000077610220 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774ae200 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774ae230 5 bytes JMP 0000000077610390 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774ae310 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774ae320 5 bytes JMP 0000000077610340 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774ae380 5 bytes JMP 0000000077610280 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774ae410 1 byte JMP 00000000776102a0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000774ae412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ae430 1 byte JMP 00000000776103c0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000774ae432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774ae440 5 bytes JMP 0000000077610320 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774ae4b0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774ae4e0 5 bytes JMP 0000000077610230 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ae680 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774ae7a0 5 bytes JMP 00000000776101d0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774ae860 5 bytes JMP 0000000077610240 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774ae890 5 bytes JMP 00000000776104b0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774ae8a0 5 bytes JMP 00000000776104c0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774ae8d0 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774ae8e0 5 bytes JMP 0000000077610350 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774ae940 5 bytes JMP 0000000077610290 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774ae990 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774ae9c0 5 bytes JMP 0000000077610370 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774ae9d0 5 bytes JMP 0000000077610330 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774aecc0 5 bytes JMP 0000000077610460 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774aee20 5 bytes JMP 0000000077610420 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774aeec0 1 byte JMP 0000000077610250 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000774aeec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774aeed0 1 byte JMP 0000000077610260 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000774aeed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774aeee0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774af0a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774af0b0 5 bytes JMP 0000000077610200 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774af120 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774af180 5 bytes JMP 0000000077610430 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774af190 5 bytes JMP 0000000077610450 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774af1a0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774af280 5 bytes JMP 0000000077610270 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774ada60 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774adab0 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774adc10 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774adc60 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774adc70 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774add20 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774add50 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774add70 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774addb0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774ade30 1 byte JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000774ade32 3 bytes {JMP 0xffffffff88bc2490} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774ade50 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774ade90 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774aded0 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774adee0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774ae040 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774ae200 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774ae230 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774ae310 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774ae320 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774ae380 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774ae410 1 byte JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000774ae412 3 bytes {JMP 0xffffffff88bc1e90} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ae430 1 byte JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000774ae432 3 bytes {JMP 0xffffffff88bc1f90} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774ae440 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774ae4b0 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774ae4e0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ae680 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774ae7a0 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774ae860 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774ae890 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774ae8a0 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774ae8d0 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774ae8e0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774ae940 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774ae990 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774ae9c0 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774ae9d0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774aecc0 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774aee20 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774aeec0 1 byte JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000774aeec2 3 bytes {JMP 0xffffffff88bc1390} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774aeed0 1 byte JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000774aeed2 3 bytes {JMP 0xffffffff88bc1390} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774aeee0 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774af0a0 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774af0b0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774af120 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774af180 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774af190 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774af1a0 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774af280 5 bytes JMP 0000000000070270 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774ada60 5 bytes JMP 0000000077610480 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774adab0 5 bytes JMP 0000000077610470 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774adc10 5 bytes JMP 0000000077610360 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774adc60 5 bytes JMP 0000000077610490 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774adc70 5 bytes JMP 00000000776103d0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774add20 5 bytes JMP 0000000077610310 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774add50 5 bytes JMP 00000000776103a0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774add70 5 bytes JMP 0000000077610380 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774addb0 5 bytes JMP 00000000776102d0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774ade30 1 byte JMP 00000000776102c0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000774ade32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774ade50 5 bytes JMP 0000000077610300 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774ade90 5 bytes JMP 00000000776103b0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774aded0 5 bytes JMP 0000000077610440 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774adee0 5 bytes JMP 00000000776103e0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774ae040 5 bytes JMP 0000000077610220 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774ae200 5 bytes JMP 00000000776104a0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774ae230 5 bytes JMP 0000000077610390 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774ae310 5 bytes JMP 00000000776102e0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774ae320 5 bytes JMP 0000000077610340 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774ae380 5 bytes JMP 0000000077610280 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774ae410 1 byte JMP 00000000776102a0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000774ae412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ae430 1 byte JMP 00000000776103c0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000774ae432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774ae440 5 bytes JMP 0000000077610320 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774ae4b0 5 bytes JMP 0000000077610410 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774ae4e0 5 bytes JMP 0000000077610230 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ae680 5 bytes JMP 00000000776103f0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774ae7a0 5 bytes JMP 00000000776101d0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774ae860 5 bytes JMP 0000000077610240 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774ae890 5 bytes JMP 00000000776104b0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774ae8a0 5 bytes JMP 00000000776104c0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774ae8d0 5 bytes JMP 00000000776102f0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774ae8e0 5 bytes JMP 0000000077610350 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774ae940 5 bytes JMP 0000000077610290 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774ae990 5 bytes JMP 00000000776102b0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774ae9c0 5 bytes JMP 0000000077610370 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774ae9d0 5 bytes JMP 0000000077610330 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774aecc0 5 bytes JMP 0000000077610460 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774aee20 5 bytes JMP 0000000077610420 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774aeec0 1 byte JMP 0000000077610250 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000774aeec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774aeed0 1 byte JMP 0000000077610260 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000774aeed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774aeee0 5 bytes JMP 0000000077610400 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774af0a0 5 bytes JMP 00000000776101e0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774af0b0 5 bytes JMP 0000000077610200 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774af120 5 bytes JMP 00000000776101f0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774af180 5 bytes JMP 0000000077610430 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774af190 5 bytes JMP 0000000077610450 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774af1a0 5 bytes JMP 0000000077610210 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774af280 5 bytes JMP 0000000077610270 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774ada60 5 bytes JMP 0000000077610480 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774adab0 5 bytes JMP 0000000077610470 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774adc10 5 bytes JMP 0000000077610360 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774adc60 5 bytes JMP 0000000077610490 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774adc70 5 bytes JMP 00000000776103d0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774add20 5 bytes JMP 0000000077610310 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774add50 5 bytes JMP 00000000776103a0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774add70 5 bytes JMP 0000000077610380 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774addb0 5 bytes JMP 00000000776102d0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774ade30 1 byte JMP 00000000776102c0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000774ade32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774ade50 5 bytes JMP 0000000077610300 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774ade90 5 bytes JMP 00000000776103b0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774aded0 5 bytes JMP 0000000077610440 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774adee0 5 bytes JMP 00000000776103e0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774ae040 5 bytes JMP 0000000077610220 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774ae200 5 bytes JMP 00000000776104a0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774ae230 5 bytes JMP 0000000077610390 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774ae310 5 bytes JMP 00000000776102e0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774ae320 5 bytes JMP 0000000077610340 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774ae380 5 bytes JMP 0000000077610280 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774ae410 1 byte JMP 00000000776102a0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000774ae412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ae430 1 byte JMP 00000000776103c0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000774ae432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774ae440 5 bytes JMP 0000000077610320 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774ae4b0 5 bytes JMP 0000000077610410 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774ae4e0 5 bytes JMP 0000000077610230 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ae680 5 bytes JMP 00000000776103f0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774ae7a0 5 bytes JMP 00000000776101d0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774ae860 5 bytes JMP 0000000077610240 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774ae890 5 bytes JMP 00000000776104b0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774ae8a0 5 bytes JMP 00000000776104c0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774ae8d0 5 bytes JMP 00000000776102f0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774ae8e0 5 bytes JMP 0000000077610350 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774ae940 5 bytes JMP 0000000077610290 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774ae990 5 bytes JMP 00000000776102b0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774ae9c0 5 bytes JMP 0000000077610370 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774ae9d0 5 bytes JMP 0000000077610330 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774aecc0 5 bytes JMP 0000000077610460 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774aee20 5 bytes JMP 0000000077610420 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774aeec0 1 byte JMP 0000000077610250 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000774aeec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774aeed0 1 byte JMP 0000000077610260 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000774aeed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774aeee0 5 bytes JMP 0000000077610400 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774af0a0 5 bytes JMP 00000000776101e0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774af0b0 5 bytes JMP 0000000077610200 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774af120 5 bytes JMP 00000000776101f0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774af180 5 bytes JMP 0000000077610430 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774af190 5 bytes JMP 0000000077610450 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774af1a0 5 bytes JMP 0000000077610210 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774af280 5 bytes JMP 0000000077610270 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774ada60 5 bytes JMP 0000000077610480 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774adab0 5 bytes JMP 0000000077610470 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774adc10 5 bytes JMP 0000000077610360 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774adc60 5 bytes JMP 0000000077610490 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774adc70 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774add20 5 bytes JMP 0000000077610310 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774add50 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774add70 5 bytes JMP 0000000077610380 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774addb0 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774ade30 1 byte JMP 00000000776102c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000774ade32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774ade50 5 bytes JMP 0000000077610300 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774ade90 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774aded0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774adee0 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774ae040 5 bytes JMP 0000000077610220 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774ae200 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774ae230 5 bytes JMP 0000000077610390 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774ae310 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774ae320 5 bytes JMP 0000000077610340 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774ae380 5 bytes JMP 0000000077610280 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774ae410 1 byte JMP 00000000776102a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000774ae412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ae430 1 byte JMP 00000000776103c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000774ae432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774ae440 5 bytes JMP 0000000077610320 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774ae4b0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774ae4e0 5 bytes JMP 0000000077610230 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ae680 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774ae7a0 5 bytes JMP 00000000776101d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774ae860 5 bytes JMP 0000000077610240 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774ae890 5 bytes JMP 00000000776104b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774ae8a0 5 bytes JMP 00000000776104c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774ae8d0 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774ae8e0 5 bytes JMP 0000000077610350 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774ae940 5 bytes JMP 0000000077610290 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774ae990 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774ae9c0 5 bytes JMP 0000000077610370 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774ae9d0 5 bytes JMP 0000000077610330 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774aecc0 5 bytes JMP 0000000077610460 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774aee20 5 bytes JMP 0000000077610420 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774aeec0 1 byte JMP 0000000077610250 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000774aeec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774aeed0 1 byte JMP 0000000077610260 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000774aeed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774aeee0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774af0a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774af0b0 5 bytes JMP 0000000077610200 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774af120 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774af180 5 bytes JMP 0000000077610430 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774af190 5 bytes JMP 0000000077610450 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774af1a0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774af280 5 bytes JMP 0000000077610270 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774ada60 5 bytes JMP 0000000077610480 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774adab0 5 bytes JMP 0000000077610470 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774adc10 5 bytes JMP 0000000077610360 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774adc60 5 bytes JMP 0000000077610490 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774adc70 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774add20 5 bytes JMP 0000000077610310 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774add50 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774add70 5 bytes JMP 0000000077610380 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774addb0 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774ade30 1 byte JMP 00000000776102c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000774ade32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774ade50 5 bytes JMP 0000000077610300 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774ade90 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774aded0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774adee0 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774ae040 5 bytes JMP 0000000077610220 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774ae200 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774ae230 5 bytes JMP 0000000077610390 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774ae310 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774ae320 5 bytes JMP 0000000077610340 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774ae380 5 bytes JMP 0000000077610280 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774ae410 1 byte JMP 00000000776102a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000774ae412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ae430 1 byte JMP 00000000776103c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000774ae432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774ae440 5 bytes JMP 0000000077610320 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774ae4b0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774ae4e0 5 bytes JMP 0000000077610230 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ae680 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774ae7a0 5 bytes JMP 00000000776101d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774ae860 5 bytes JMP 0000000077610240 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774ae890 5 bytes JMP 00000000776104b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774ae8a0 5 bytes JMP 00000000776104c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774ae8d0 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774ae8e0 5 bytes JMP 0000000077610350 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774ae940 5 bytes JMP 0000000077610290 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774ae990 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774ae9c0 5 bytes JMP 0000000077610370 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774ae9d0 5 bytes JMP 0000000077610330 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774aecc0 5 bytes JMP 0000000077610460 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774aee20 5 bytes JMP 0000000077610420 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774aeec0 1 byte JMP 0000000077610250 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000774aeec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774aeed0 1 byte JMP 0000000077610260 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000774aeed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774aeee0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774af0a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774af0b0 5 bytes JMP 0000000077610200 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774af120 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774af180 5 bytes JMP 0000000077610430 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774af190 5 bytes JMP 0000000077610450 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774af1a0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774af280 5 bytes JMP 0000000077610270 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774ada60 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774adab0 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774adc10 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774adc60 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774adc70 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774add20 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774add50 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774add70 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774addb0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774ade30 1 byte JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000774ade32 3 bytes {JMP 0xffffffff88bc2490} .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774ade50 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774ade90 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774aded0 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774adee0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774ae040 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774ae200 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774ae230 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774ae310 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774ae320 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774ae380 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774ae410 1 byte JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000774ae412 3 bytes {JMP 0xffffffff88bc1e90} .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ae430 1 byte JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000774ae432 3 bytes {JMP 0xffffffff88bc1f90} .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774ae440 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774ae4b0 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774ae4e0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ae680 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774ae7a0 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774ae860 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774ae890 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774ae8a0 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774ae8d0 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774ae8e0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774ae940 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774ae990 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774ae9c0 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774ae9d0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774aecc0 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774aee20 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774aeec0 1 byte JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000774aeec2 3 bytes {JMP 0xffffffff88bc1390} .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774aeed0 1 byte JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000774aeed2 3 bytes {JMP 0xffffffff88bc1390} .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774aeee0 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774af0a0 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774af0b0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774af120 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774af180 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774af190 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774af1a0 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774af280 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774ada60 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774adab0 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774adc10 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774adc60 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774adc70 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774add20 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774add50 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774add70 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774addb0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774ade30 1 byte JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000774ade32 3 bytes {JMP 0xffffffff88bc2490} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774ade50 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774ade90 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774aded0 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774adee0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774ae040 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774ae200 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774ae230 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774ae310 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774ae320 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774ae380 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774ae410 1 byte JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000774ae412 3 bytes {JMP 0xffffffff88bc1e90} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ae430 1 byte JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000774ae432 3 bytes {JMP 0xffffffff88bc1f90} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774ae440 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774ae4b0 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774ae4e0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ae680 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774ae7a0 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774ae860 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774ae890 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774ae8a0 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774ae8d0 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774ae8e0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774ae940 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774ae990 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774ae9c0 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774ae9d0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774aecc0 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774aee20 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774aeec0 1 byte JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000774aeec2 3 bytes {JMP 0xffffffff88bc1390} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774aeed0 1 byte JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000774aeed2 3 bytes {JMP 0xffffffff88bc1390} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774aeee0 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774af0a0 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774af0b0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774af120 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774af180 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774af190 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774af1a0 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774af280 5 bytes JMP 0000000000070270 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774ada60 5 bytes JMP 0000000077610480 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774adab0 5 bytes JMP 0000000077610470 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774adc10 5 bytes JMP 0000000077610360 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774adc60 5 bytes JMP 0000000077610490 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774adc70 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774add20 5 bytes JMP 0000000077610310 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774add50 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774add70 5 bytes JMP 0000000077610380 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774addb0 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774ade30 1 byte JMP 00000000776102c0 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000774ade32 3 bytes {JMP 0x162490} .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774ade50 5 bytes JMP 0000000077610300 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774ade90 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774aded0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774adee0 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774ae040 5 bytes JMP 0000000077610220 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774ae200 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774ae230 5 bytes JMP 0000000077610390 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774ae310 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774ae320 5 bytes JMP 0000000077610340 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774ae380 5 bytes JMP 0000000077610280 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774ae410 1 byte JMP 00000000776102a0 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000774ae412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ae430 1 byte JMP 00000000776103c0 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000774ae432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774ae440 5 bytes JMP 0000000077610320 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774ae4b0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774ae4e0 5 bytes JMP 0000000077610230 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ae680 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774ae7a0 5 bytes JMP 00000000776101d0 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774ae860 5 bytes JMP 0000000077610240 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774ae890 5 bytes JMP 00000000776104b0 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774ae8a0 5 bytes JMP 00000000776104c0 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774ae8d0 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774ae8e0 5 bytes JMP 0000000077610350 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774ae940 5 bytes JMP 0000000077610290 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774ae990 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774ae9c0 5 bytes JMP 0000000077610370 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774ae9d0 5 bytes JMP 0000000077610330 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774aecc0 5 bytes JMP 0000000077610460 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774aee20 5 bytes JMP 0000000077610420 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774aeec0 1 byte JMP 0000000077610250 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000774aeec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774aeed0 1 byte JMP 0000000077610260 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000774aeed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774aeee0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774af0a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774af0b0 5 bytes JMP 0000000077610200 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774af120 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774af180 5 bytes JMP 0000000077610430 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774af190 5 bytes JMP 0000000077610450 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774af1a0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774af280 5 bytes JMP 0000000077610270 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd4baec0 1 byte JMP 000007fefd4200b8 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 2 000007fefd4baec2 3 bytes {JMP 0xfffffffffff651f8} .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd4bca30 5 bytes JMP 000007fefd420038 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\system32\WINMM.dll!waveOutReset 000007fefabda38c 5 bytes JMP 000007fefd4202b8 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\system32\WINMM.dll!waveOutPause 000007fefabf4b60 5 bytes JMP 000007fefd420238 .text C:\Windows\system32\taskhost.exe[1288] C:\Windows\system32\WINMM.dll!waveOutRestart 000007fefabf4ba0 5 bytes JMP 000007fefd4201b8 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd4b2db0 5 bytes JMP 000007fefd4a0180 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4b37d0 7 bytes JMP 000007fefd4a00d8 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd4ba410 2 bytes JMP 000007fefd4a0110 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd4ba413 2 bytes [FE, FF] .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd4baec0 6 bytes JMP 000007fefd4a0148 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd4bca30 5 bytes JMP 000007fefd490038 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff4989d0 8 bytes JMP 000007fefd4a01f0 .text C:\Windows\system32\Dwm.exe[1764] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff49be40 8 bytes JMP 000007fefd4a01b8 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774ada60 5 bytes JMP 0000000077610480 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774adab0 5 bytes JMP 0000000077610470 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774adc10 5 bytes JMP 0000000077610360 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774adc60 5 bytes JMP 0000000077610490 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774adc70 5 bytes JMP 00000000776103d0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774add20 5 bytes JMP 0000000077610310 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774add50 5 bytes JMP 00000000776103a0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774add70 5 bytes JMP 0000000077610380 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774addb0 5 bytes JMP 00000000776102d0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774ade30 1 byte JMP 00000000776102c0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000774ade32 3 bytes {JMP 0x162490} .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774ade50 5 bytes JMP 0000000077610300 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774ade90 5 bytes JMP 00000000776103b0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774aded0 5 bytes JMP 0000000077610440 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774adee0 5 bytes JMP 00000000776103e0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774ae040 5 bytes JMP 0000000077610220 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774ae200 5 bytes JMP 00000000776104a0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774ae230 5 bytes JMP 0000000077610390 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774ae310 5 bytes JMP 00000000776102e0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774ae320 5 bytes JMP 0000000077610340 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774ae380 5 bytes JMP 0000000077610280 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774ae410 1 byte JMP 00000000776102a0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000774ae412 3 bytes {JMP 0x161e90} .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ae430 1 byte JMP 00000000776103c0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000774ae432 3 bytes {JMP 0x161f90} .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774ae440 5 bytes JMP 0000000077610320 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774ae4b0 5 bytes JMP 0000000077610410 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774ae4e0 5 bytes JMP 0000000077610230 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ae680 5 bytes JMP 00000000776103f0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774ae7a0 5 bytes JMP 00000000776101d0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774ae860 5 bytes JMP 0000000077610240 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774ae890 5 bytes JMP 00000000776104b0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774ae8a0 5 bytes JMP 00000000776104c0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774ae8d0 5 bytes JMP 00000000776102f0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774ae8e0 5 bytes JMP 0000000077610350 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774ae940 5 bytes JMP 0000000077610290 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774ae990 5 bytes JMP 00000000776102b0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774ae9c0 5 bytes JMP 0000000077610370 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774ae9d0 5 bytes JMP 0000000077610330 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774aecc0 5 bytes JMP 0000000077610460 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774aee20 5 bytes JMP 0000000077610420 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774aeec0 1 byte JMP 0000000077610250 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000774aeec2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774aeed0 1 byte JMP 0000000077610260 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000774aeed2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774aeee0 5 bytes JMP 0000000077610400 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774af0a0 5 bytes JMP 00000000776101e0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774af0b0 5 bytes JMP 0000000077610200 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774af120 5 bytes JMP 00000000776101f0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774af180 5 bytes JMP 0000000077610430 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774af190 5 bytes JMP 0000000077610450 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774af1a0 5 bytes JMP 0000000077610210 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774af280 5 bytes JMP 0000000077610270 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774ada60 5 bytes JMP 0000000077610480 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774adab0 5 bytes JMP 0000000077610470 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774adc10 5 bytes JMP 0000000077610360 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774adc60 5 bytes JMP 0000000077610490 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774adc70 5 bytes JMP 00000000776103d0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774add20 5 bytes JMP 0000000077610310 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774add50 5 bytes JMP 00000000776103a0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774add70 5 bytes JMP 0000000077610380 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774addb0 5 bytes JMP 00000000776102d0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774ade30 1 byte JMP 00000000776102c0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000774ade32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774ade50 5 bytes JMP 0000000077610300 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774ade90 5 bytes JMP 00000000776103b0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774aded0 5 bytes JMP 0000000077610440 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774adee0 5 bytes JMP 00000000776103e0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774ae040 5 bytes JMP 0000000077610220 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774ae200 5 bytes JMP 00000000776104a0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774ae230 5 bytes JMP 0000000077610390 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774ae310 5 bytes JMP 00000000776102e0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774ae320 5 bytes JMP 0000000077610340 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774ae380 5 bytes JMP 0000000077610280 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774ae410 1 byte JMP 00000000776102a0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000774ae412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ae430 1 byte JMP 00000000776103c0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000774ae432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774ae440 5 bytes JMP 0000000077610320 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774ae4b0 5 bytes JMP 0000000077610410 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774ae4e0 5 bytes JMP 0000000077610230 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ae680 5 bytes JMP 00000000776103f0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774ae7a0 5 bytes JMP 00000000776101d0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774ae860 5 bytes JMP 0000000077610240 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774ae890 5 bytes JMP 00000000776104b0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774ae8a0 5 bytes JMP 00000000776104c0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774ae8d0 5 bytes JMP 00000000776102f0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774ae8e0 5 bytes JMP 0000000077610350 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774ae940 5 bytes JMP 0000000077610290 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774ae990 5 bytes JMP 00000000776102b0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774ae9c0 5 bytes JMP 0000000077610370 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774ae9d0 5 bytes JMP 0000000077610330 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774aecc0 5 bytes JMP 0000000077610460 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774aee20 5 bytes JMP 0000000077610420 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774aeec0 1 byte JMP 0000000077610250 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000774aeec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774aeed0 1 byte JMP 0000000077610260 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000774aeed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774aeee0 5 bytes JMP 0000000077610400 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774af0a0 5 bytes JMP 00000000776101e0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774af0b0 5 bytes JMP 0000000077610200 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774af120 5 bytes JMP 00000000776101f0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774af180 5 bytes JMP 0000000077610430 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774af190 5 bytes JMP 0000000077610450 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774af1a0 5 bytes JMP 0000000077610210 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774af280 5 bytes JMP 0000000077610270 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774ada60 5 bytes JMP 0000000077610480 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774adab0 5 bytes JMP 0000000077610470 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774adc10 5 bytes JMP 0000000077610360 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774adc60 5 bytes JMP 0000000077610490 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774adc70 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774add20 5 bytes JMP 0000000077610310 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774add50 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774add70 5 bytes JMP 0000000077610380 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774addb0 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774ade30 1 byte JMP 00000000776102c0 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000774ade32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774ade50 5 bytes JMP 0000000077610300 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774ade90 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774aded0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774adee0 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774ae040 5 bytes JMP 0000000077610220 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774ae200 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774ae230 5 bytes JMP 0000000077610390 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774ae310 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774ae320 5 bytes JMP 0000000077610340 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774ae380 5 bytes JMP 0000000077610280 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774ae410 1 byte JMP 00000000776102a0 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000774ae412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ae430 1 byte JMP 00000000776103c0 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000774ae432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774ae440 5 bytes JMP 0000000077610320 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774ae4b0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774ae4e0 5 bytes JMP 0000000077610230 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ae680 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774ae7a0 5 bytes JMP 00000000776101d0 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774ae860 5 bytes JMP 0000000077610240 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774ae890 5 bytes JMP 00000000776104b0 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774ae8a0 5 bytes JMP 00000000776104c0 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774ae8d0 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774ae8e0 5 bytes JMP 0000000077610350 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774ae940 5 bytes JMP 0000000077610290 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774ae990 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774ae9c0 5 bytes JMP 0000000077610370 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774ae9d0 5 bytes JMP 0000000077610330 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774aecc0 5 bytes JMP 0000000077610460 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774aee20 5 bytes JMP 0000000077610420 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774aeec0 1 byte JMP 0000000077610250 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000774aeec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774aeed0 1 byte JMP 0000000077610260 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000774aeed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774aeee0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774af0a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774af0b0 5 bytes JMP 0000000077610200 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774af120 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774af180 5 bytes JMP 0000000077610430 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774af190 5 bytes JMP 0000000077610450 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774af1a0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774af280 5 bytes JMP 0000000077610270 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774ada60 5 bytes JMP 0000000077610480 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774adab0 5 bytes JMP 0000000077610470 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774adc10 5 bytes JMP 0000000077610360 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774adc60 5 bytes JMP 0000000077610490 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774adc70 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774add20 5 bytes JMP 0000000077610310 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774add50 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774add70 5 bytes JMP 0000000077610380 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774addb0 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774ade30 1 byte JMP 00000000776102c0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000774ade32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774ade50 5 bytes JMP 0000000077610300 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774ade90 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774aded0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774adee0 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774ae040 5 bytes JMP 0000000077610220 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774ae200 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774ae230 5 bytes JMP 0000000077610390 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774ae310 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774ae320 5 bytes JMP 0000000077610340 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774ae380 5 bytes JMP 0000000077610280 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774ae410 1 byte JMP 00000000776102a0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000774ae412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ae430 1 byte JMP 00000000776103c0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000774ae432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774ae440 5 bytes JMP 0000000077610320 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774ae4b0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774ae4e0 5 bytes JMP 0000000077610230 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ae680 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774ae7a0 5 bytes JMP 00000000776101d0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774ae860 5 bytes JMP 0000000077610240 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774ae890 5 bytes JMP 00000000776104b0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774ae8a0 5 bytes JMP 00000000776104c0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774ae8d0 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774ae8e0 5 bytes JMP 0000000077610350 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774ae940 5 bytes JMP 0000000077610290 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774ae990 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774ae9c0 5 bytes JMP 0000000077610370 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774ae9d0 5 bytes JMP 0000000077610330 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774aecc0 5 bytes JMP 0000000077610460 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774aee20 5 bytes JMP 0000000077610420 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774aeec0 1 byte JMP 0000000077610250 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000774aeec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774aeed0 1 byte JMP 0000000077610260 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000774aeed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774aeee0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774af0a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774af0b0 5 bytes JMP 0000000077610200 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774af120 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774af180 5 bytes JMP 0000000077610430 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774af190 5 bytes JMP 0000000077610450 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774af1a0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774af280 5 bytes JMP 0000000077610270 .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[4028] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff4989d0 8 bytes JMP 000007fefd4a01f0 .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[4028] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff49be40 8 bytes JMP 000007fefd4a01b8 .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[4028] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe1e74a0 5 bytes JMP 000007fefd450138 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1932] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007734a460 7 bytes JMP 000000006fff0228 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1932] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077353f80 5 bytes JMP 000000006fff0180 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1932] C:\Windows\system32\kernel32.dll!LoadLibraryW 00000000773564a0 5 bytes JMP 0000000069ff0038 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1932] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007736ffa0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1932] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007737f330 5 bytes JMP 000000006fff0110 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1932] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773a9a80 7 bytes JMP 000000006fff00d8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1932] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773b9510 5 bytes JMP 000000006fff0148 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1932] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000773d8830 7 bytes JMP 000000006fff01f0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3896] C:\Windows\syswow64\KERNEL32.dll!RegQueryValueExW 0000000075a81efe 7 bytes JMP 0000000070423910 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3896] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryExA 0000000075a848cb 5 bytes JMP 0000000010002710 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3896] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryW 0000000075a848e3 5 bytes JMP 00000000100027f0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3896] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryExW 0000000075a84915 5 bytes JMP 0000000010002780 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3896] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExW 0000000075a85b9d 7 bytes JMP 0000000070423f90 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3896] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000075a913f9 7 bytes JMP 0000000070423ba0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3896] C:\Windows\syswow64\KERNEL32.dll!RegDeleteValueW 0000000075a9ea45 7 bytes JMP 0000000070423900 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3896] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 0000000075b28f4c 7 bytes JMP 00000000704234a0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3896] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000075b28fd1 5 bytes JMP 0000000070423550 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3896] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 0000000075b29327 5 bytes JMP 00000000704234b0 .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3984] C:\Windows\syswow64\KERNEL32.dll!RegQueryValueExW 0000000075a81efe 7 bytes JMP 0000000070423910 .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3984] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryExA 0000000075a848cb 5 bytes JMP 0000000010002710 .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3984] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryW 0000000075a848e3 5 bytes JMP 00000000100027f0 .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3984] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryExW 0000000075a84915 5 bytes JMP 0000000010002780 .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3984] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExW 0000000075a85b9d 7 bytes JMP 0000000070423f90 .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3984] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000075a913f9 7 bytes JMP 0000000070423ba0 .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3984] C:\Windows\syswow64\KERNEL32.dll!RegDeleteValueW 0000000075a9ea45 7 bytes JMP 0000000070423900 .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3984] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 0000000075b28f4c 7 bytes JMP 00000000704234a0 .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3984] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000075b28fd1 5 bytes JMP 0000000070423550 .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3984] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 0000000075b29327 5 bytes JMP 00000000704234b0 .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3984] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075d51d29 5 bytes JMP 0000000070423460 .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3984] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075d51dd7 5 bytes JMP 0000000070423420 .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3984] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075d52ab1 5 bytes JMP 0000000070423560 .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3984] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075d52d1d 5 bytes JMP 0000000070423250 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4156] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075a81efe 7 bytes JMP 0000000070423910 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4156] C:\Windows\syswow64\kernel32.dll!LoadLibraryExA 0000000075a848cb 5 bytes JMP 0000000000392710 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4156] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 0000000075a848e3 5 bytes JMP 00000000003927f0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4156] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075a84915 5 bytes JMP 0000000000392780 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4156] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075a85b9d 7 bytes JMP 0000000070423f90 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4156] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075a913f9 7 bytes JMP 0000000070423ba0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4156] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075a9ea45 7 bytes JMP 0000000070423900 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4156] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075b28f4c 7 bytes JMP 00000000704234a0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4156] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075b28fd1 5 bytes JMP 0000000070423550 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4156] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075b29327 5 bytes JMP 00000000704234b0 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AutodeskDesktopApp.exe[4184] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075a81efe 7 bytes JMP 0000000070423910 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AutodeskDesktopApp.exe[4184] C:\Windows\syswow64\kernel32.dll!LoadLibraryExA 0000000075a848cb 5 bytes JMP 0000000010002710 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AutodeskDesktopApp.exe[4184] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 0000000075a848e3 5 bytes JMP 00000000100027f0 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AutodeskDesktopApp.exe[4184] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075a84915 5 bytes JMP 0000000010002780 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AutodeskDesktopApp.exe[4184] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075a85b9d 7 bytes JMP 0000000070423f90 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AutodeskDesktopApp.exe[4184] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075a88781 5 bytes [33, C0, C2, 04, 00] .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AutodeskDesktopApp.exe[4184] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075a913f9 7 bytes JMP 0000000070423ba0 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AutodeskDesktopApp.exe[4184] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075a9ea45 7 bytes JMP 0000000070423900 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AutodeskDesktopApp.exe[4184] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075b28f4c 7 bytes JMP 00000000704234a0 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AutodeskDesktopApp.exe[4184] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075b28fd1 5 bytes JMP 0000000070423550 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AutodeskDesktopApp.exe[4184] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075b29327 5 bytes JMP 00000000704234b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4212] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075a88781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774ada60 5 bytes JMP 0000000077610480 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774adab0 5 bytes JMP 0000000077610470 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774adc10 5 bytes JMP 0000000077610360 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774adc60 5 bytes JMP 0000000077610490 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774adc70 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774add20 5 bytes JMP 0000000077610310 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774add50 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774add70 5 bytes JMP 0000000077610380 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774addb0 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774ade30 1 byte JMP 00000000776102c0 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000774ade32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774ade50 5 bytes JMP 0000000077610300 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774ade90 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774aded0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774adee0 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774ae040 5 bytes JMP 0000000077610220 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774ae200 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774ae230 5 bytes JMP 0000000077610390 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774ae310 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774ae320 5 bytes JMP 0000000077610340 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774ae380 5 bytes JMP 0000000077610280 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774ae410 1 byte JMP 00000000776102a0 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000774ae412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ae430 1 byte JMP 00000000776103c0 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000774ae432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774ae440 5 bytes JMP 0000000077610320 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774ae4b0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774ae4e0 5 bytes JMP 0000000077610230 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ae680 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774ae7a0 5 bytes JMP 00000000776101d0 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774ae860 5 bytes JMP 0000000077610240 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774ae890 5 bytes JMP 00000000776104b0 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774ae8a0 5 bytes JMP 00000000776104c0 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774ae8d0 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774ae8e0 5 bytes JMP 0000000077610350 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774ae940 5 bytes JMP 0000000077610290 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774ae990 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774ae9c0 5 bytes JMP 0000000077610370 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774ae9d0 5 bytes JMP 0000000077610330 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774aecc0 5 bytes JMP 0000000077610460 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774aee20 5 bytes JMP 0000000077610420 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774aeec0 1 byte JMP 0000000077610250 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000774aeec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774aeed0 1 byte JMP 0000000077610260 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000774aeed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774aeee0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774af0a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774af0b0 5 bytes JMP 0000000077610200 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774af120 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774af180 5 bytes JMP 0000000077610430 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774af190 5 bytes JMP 0000000077610450 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774af1a0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\svchost.exe[4844] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774af280 5 bytes JMP 0000000077610270 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774ada60 5 bytes JMP 0000000077610480 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774adab0 5 bytes JMP 0000000077610470 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774adc10 5 bytes JMP 0000000077610360 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774adc60 5 bytes JMP 0000000077610490 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774adc70 5 bytes JMP 00000000776103d0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774add20 5 bytes JMP 0000000077610310 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774add50 5 bytes JMP 00000000776103a0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774add70 5 bytes JMP 0000000077610380 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774addb0 5 bytes JMP 00000000776102d0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774ade30 1 byte JMP 00000000776102c0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000774ade32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774ade50 5 bytes JMP 0000000077610300 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774ade90 5 bytes JMP 00000000776103b0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774aded0 5 bytes JMP 0000000077610440 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774adee0 5 bytes JMP 00000000776103e0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774ae040 5 bytes JMP 0000000077610220 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774ae200 5 bytes JMP 00000000776104a0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774ae230 5 bytes JMP 0000000077610390 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774ae310 5 bytes JMP 00000000776102e0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774ae320 5 bytes JMP 0000000077610340 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774ae380 5 bytes JMP 0000000077610280 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774ae410 1 byte JMP 00000000776102a0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000774ae412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ae430 1 byte JMP 00000000776103c0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000774ae432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774ae440 5 bytes JMP 0000000077610320 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774ae4b0 5 bytes JMP 0000000077610410 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774ae4e0 5 bytes JMP 0000000077610230 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ae680 5 bytes JMP 00000000776103f0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774ae7a0 5 bytes JMP 00000000776101d0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774ae860 5 bytes JMP 0000000077610240 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774ae890 5 bytes JMP 00000000776104b0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774ae8a0 5 bytes JMP 00000000776104c0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774ae8d0 5 bytes JMP 00000000776102f0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774ae8e0 5 bytes JMP 0000000077610350 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774ae940 5 bytes JMP 0000000077610290 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774ae990 5 bytes JMP 00000000776102b0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774ae9c0 5 bytes JMP 0000000077610370 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774ae9d0 5 bytes JMP 0000000077610330 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774aecc0 5 bytes JMP 0000000077610460 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000774aee20 5 bytes JMP 0000000077610420 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774aeec0 1 byte JMP 0000000077610250 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000774aeec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774aeed0 1 byte JMP 0000000077610260 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000774aeed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774aeee0 5 bytes JMP 0000000077610400 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774af0a0 5 bytes JMP 00000000776101e0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774af0b0 5 bytes JMP 0000000077610200 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774af120 5 bytes JMP 00000000776101f0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774af180 5 bytes JMP 0000000077610430 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774af190 5 bytes JMP 0000000077610450 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774af1a0 5 bytes JMP 0000000077610210 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774af280 5 bytes JMP 0000000077610270 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075a81efe 7 bytes JMP 0000000070423910 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\kernel32.dll!LoadLibraryExA 0000000075a848cb 5 bytes JMP 0000000010002710 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 0000000075a848e3 5 bytes JMP 00000000100027f0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075a84915 5 bytes JMP 0000000010002780 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075a85b9d 7 bytes JMP 0000000070423f90 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075a913f9 7 bytes JMP 0000000070423ba0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075a9ea45 7 bytes JMP 0000000070423900 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075b28f4c 7 bytes JMP 00000000704234a0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075b28fd1 5 bytes JMP 0000000070423550 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075b29327 5 bytes JMP 00000000704234b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075d51d29 5 bytes JMP 0000000070423460 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075d51dd7 5 bytes JMP 0000000070423420 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075d52ab1 5 bytes JMP 0000000001152ac0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075d52d1d 5 bytes JMP 0000000070423250 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075018a29 5 bytes JMP 0000000070422890 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075024572 5 bytes JMP 00000000704231d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007503e567 5 bytes JMP 0000000070423240 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000750607d7 5 bytes JMP 0000000070422710 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075077a5c 5 bytes JMP 00000000704231c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007569d2b4 5 bytes JMP 0000000070422970 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007569d4ee 5 bytes JMP 0000000070422980 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075795ea5 5 bytes JMP 0000000070422850 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000757c9d0b 5 bytes JMP 00000000704227e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000763b1401 2 bytes JMP 75aab21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000763b1419 2 bytes JMP 75aab346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000763b1431 2 bytes JMP 75b28fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000763b144a 2 bytes CALL 75a8489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000763b14dd 2 bytes JMP 75b288c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000763b14f5 2 bytes JMP 75b28aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000763b150d 2 bytes JMP 75b287ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000763b1525 2 bytes JMP 75b28b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000763b153d 2 bytes JMP 75a9fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000763b1555 2 bytes JMP 75aa68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000763b156d 2 bytes JMP 75b29089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000763b1585 2 bytes JMP 75b28bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000763b159d 2 bytes JMP 75b2877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000763b15b5 2 bytes JMP 75a9fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000763b15cd 2 bytes JMP 75aab2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000763b16b2 2 bytes JMP 75b28f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000763b16bd 2 bytes JMP 75b28713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075a81efe 7 bytes JMP 0000000070423910 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\kernel32.dll!LoadLibraryExA 0000000075a848cb 5 bytes JMP 0000000010002710 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 0000000075a848e3 5 bytes JMP 00000000100027f0 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075a84915 5 bytes JMP 0000000010002780 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075a85b9d 7 bytes JMP 0000000070423f90 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075a913f9 7 bytes JMP 0000000070423ba0 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075a9ea45 7 bytes JMP 0000000070423900 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075b28f4c 7 bytes JMP 00000000704234a0 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075b28fd1 5 bytes JMP 0000000070423550 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075b29327 5 bytes JMP 00000000704234b0 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075d51d29 5 bytes JMP 0000000070423460 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075d51dd7 5 bytes JMP 0000000070423420 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075d52ab1 5 bytes JMP 0000000070423560 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075d52d1d 5 bytes JMP 0000000070423250 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000763b1401 2 bytes JMP 75aab21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000763b1419 2 bytes JMP 75aab346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000763b1431 2 bytes JMP 75b28fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000763b144a 2 bytes CALL 75a8489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000763b14dd 2 bytes JMP 75b288c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000763b14f5 2 bytes JMP 75b28aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000763b150d 2 bytes JMP 75b287ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000763b1525 2 bytes JMP 75b28b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000763b153d 2 bytes JMP 75a9fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000763b1555 2 bytes JMP 75aa68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000763b156d 2 bytes JMP 75b29089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000763b1585 2 bytes JMP 75b28bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000763b159d 2 bytes JMP 75b2877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000763b15b5 2 bytes JMP 75a9fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000763b15cd 2 bytes JMP 75aab2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000763b16b2 2 bytes JMP 75b28f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\acwebbrowser.exe[6256] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000763b16bd 2 bytes JMP 75b28713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[6536] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff4989d0 8 bytes JMP 000007fefd4a01f0 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[6536] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff49be40 8 bytes JMP 000007fefd4a01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2128] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007734a460 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2128] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077353f80 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2128] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007736ffa0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2128] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007737f330 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2128] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773a9a80 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2128] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773b9510 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2128] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000773d8830 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2128] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe1e74a0 11 bytes JMP 000007fefd4a0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2128] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe1fbf10 7 bytes JMP 000007fefd4a0260 .text C:\Windows\system32\taskmgr.exe[7372] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd4b2db0 5 bytes JMP 000007fefd4a0180 .text C:\Windows\system32\taskmgr.exe[7372] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4b37d0 7 bytes JMP 000007fefd4a00d8 .text C:\Windows\system32\taskmgr.exe[7372] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd4ba410 2 bytes JMP 000007fefd4a0110 .text C:\Windows\system32\taskmgr.exe[7372] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd4ba413 2 bytes [FE, FF] .text C:\Windows\system32\taskmgr.exe[7372] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd4baec0 6 bytes JMP 000007fefd4a0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5808] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007734a460 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5808] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077353f80 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5808] C:\Windows\system32\kernel32.dll!LoadLibraryW 00000000773564a0 5 bytes JMP 0000000069ff0038 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5808] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007736ffa0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5808] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007737f330 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5808] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773a9a80 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5808] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773b9510 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5808] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000773d8830 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5808] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd4b2db0 5 bytes JMP 000007fefd4a0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5808] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4b37d0 7 bytes JMP 000007fefd4a00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5808] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd4ba410 2 bytes JMP 000007fefd4a0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5808] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd4ba413 2 bytes [FE, FF] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5808] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd4baec0 6 bytes JMP 000007fefd4a0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5808] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd4bca30 5 bytes JMP 000007fefd490038 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5808] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff4989d0 8 bytes JMP 000007fefd4a01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5808] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff49be40 8 bytes JMP 000007fefd4a01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5808] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe1e74a0 11 bytes JMP 000007fefd4a0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5808] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe1fbf10 7 bytes JMP 000007fefd4a0260 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6112] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075a81efe 7 bytes JMP 0000000070423910 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6112] C:\Windows\syswow64\kernel32.dll!LoadLibraryExA 0000000075a848cb 5 bytes JMP 0000000010002710 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6112] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 0000000075a848e3 5 bytes JMP 00000000100027f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6112] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075a84915 5 bytes JMP 0000000010002780 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6112] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075a85b9d 7 bytes JMP 0000000070423f90 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6112] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075a913f9 7 bytes JMP 0000000070423ba0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6112] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075a9ea45 7 bytes JMP 0000000070423900 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6112] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075b28f4c 7 bytes JMP 00000000704234a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6112] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075b28fd1 5 bytes JMP 0000000070423550 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6112] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075b29327 5 bytes JMP 00000000704234b0 .text C:\Program Files\ANSYS Inc\v160\RSM\bin\Ans.Rsm.JMHost.exe[3804] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd4b2db0 5 bytes JMP 000007fefd4a0180 .text C:\Program Files\ANSYS Inc\v160\RSM\bin\Ans.Rsm.JMHost.exe[3804] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4b37d0 7 bytes JMP 000007fefd4a00d8 .text C:\Program Files\ANSYS Inc\v160\RSM\bin\Ans.Rsm.JMHost.exe[3804] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd4ba410 2 bytes JMP 000007fefd4a0110 .text C:\Program Files\ANSYS Inc\v160\RSM\bin\Ans.Rsm.JMHost.exe[3804] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd4ba413 2 bytes [FE, FF] .text C:\Program Files\ANSYS Inc\v160\RSM\bin\Ans.Rsm.JMHost.exe[3804] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd4baec0 6 bytes JMP 000007fefd4a0148 .text 0000000075a81efe 7 bytes JMP 0000000070423910 .text 0000000075d51d29 5 bytes JMP 0000000070423460 .text 0000000075018a29 5 bytes JMP 0000000070422890 .text 000000007569d2b4 5 bytes JMP 0000000070422970 .text 0000000075795ea5 5 bytes JMP 0000000070422850 .text + 17 00000000763b1401 2 bytes JMP 75aab21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[12576] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007734a460 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[12576] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077353f80 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[12576] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007736ffa0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[12576] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007737f330 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[12576] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773a9a80 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[12576] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773b9510 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[12576] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000773d8830 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[12576] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd4b2db0 5 bytes JMP 000007fefd4a0180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[12576] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4b37d0 7 bytes JMP 000007fefd4a00d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[12576] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd4ba410 2 bytes JMP 000007fefd4a0110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[12576] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd4ba413 2 bytes [FE, FF] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[12576] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd4baec0 6 bytes JMP 000007fefd4a0148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[12576] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe1e74a0 11 bytes JMP 000007fefd4a0228 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[12576] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe1fbf10 7 bytes JMP 000007fefd4a0260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[12576] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff4989d0 8 bytes JMP 000007fefd4a01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[12576] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff49be40 8 bytes JMP 000007fefd4a01b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[12576] C:\Windows\system32\d3d9.dll!Direct3DCreate9Ex 000007fee6e32460 5 bytes JMP 000007fefd4a02d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[12576] C:\Windows\system32\d3d9.dll!Direct3DCreate9 000007fee6e696b0 6 bytes JMP 000007fefd4a0298 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075a81efe 7 bytes JMP 0000000070423910 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\kernel32.dll!LoadLibraryExA 0000000075a848cb 5 bytes JMP 0000000003d22710 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 0000000075a848e3 5 bytes JMP 0000000003d227f0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075a84915 5 bytes JMP 0000000003d22780 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075a85b9d 7 bytes JMP 0000000070423f90 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075a913f9 7 bytes JMP 0000000070423ba0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075a9ea45 7 bytes JMP 0000000070423900 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075b28f4c 7 bytes JMP 00000000704234a0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075b28fd1 5 bytes JMP 0000000070423550 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075b29327 5 bytes JMP 00000000704234b0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075d51d29 5 bytes JMP 0000000070423460 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075d51dd7 5 bytes JMP 0000000070423420 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075d52ab1 5 bytes JMP 0000000070423560 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075d52d1d 5 bytes JMP 0000000070423250 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007569d2b4 5 bytes JMP 0000000070422970 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007569d4ee 5 bytes JMP 0000000070422980 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075018a29 5 bytes JMP 0000000070422890 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075024572 5 bytes JMP 00000000704231d0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007503e567 5 bytes JMP 0000000070423240 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000750607d7 5 bytes JMP 0000000070422710 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075077a5c 5 bytes JMP 00000000704231c0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000763b1401 2 bytes JMP 75aab21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000763b1419 2 bytes JMP 75aab346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000763b1431 2 bytes JMP 75b28fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000763b144a 2 bytes CALL 75a8489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000763b14dd 2 bytes JMP 75b288c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000763b14f5 2 bytes JMP 75b28aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000763b150d 2 bytes JMP 75b287ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000763b1525 2 bytes JMP 75b28b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000763b153d 2 bytes JMP 75a9fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000763b1555 2 bytes JMP 75aa68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000763b156d 2 bytes JMP 75b29089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000763b1585 2 bytes JMP 75b28bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000763b159d 2 bytes JMP 75b2877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000763b15b5 2 bytes JMP 75a9fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000763b15cd 2 bytes JMP 75aab2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000763b16b2 2 bytes JMP 75b28f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000763b16bd 2 bytes JMP 75b28713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000733911a8 2 bytes [39, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 000000007339127d 2 bytes CALL 75a814c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 395 0000000073391310 2 bytes CALL 75a814c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000733913a8 2 bytes [39, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000073391422 2 bytes [39, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5404] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000073391498 2 bytes [39, 73] .text C:\PROGRAMY\TeamSpeak 3 Client\ts3client_win64.exe[2480] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007734a460 7 bytes JMP 000000006fff0228 .text C:\PROGRAMY\TeamSpeak 3 Client\ts3client_win64.exe[2480] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077353f80 5 bytes JMP 000000006fff0180 .text C:\PROGRAMY\TeamSpeak 3 Client\ts3client_win64.exe[2480] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007736ffa0 5 bytes JMP 000000006fff01b8 .text C:\PROGRAMY\TeamSpeak 3 Client\ts3client_win64.exe[2480] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007737f330 5 bytes JMP 000000006fff0110 .text C:\PROGRAMY\TeamSpeak 3 Client\ts3client_win64.exe[2480] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773a9a80 7 bytes JMP 000000006fff00d8 .text C:\PROGRAMY\TeamSpeak 3 Client\ts3client_win64.exe[2480] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773b9510 5 bytes JMP 000000006fff0148 .text C:\PROGRAMY\TeamSpeak 3 Client\ts3client_win64.exe[2480] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000773d8830 7 bytes JMP 000000006fff01f0 .text C:\PROGRAMY\TeamSpeak 3 Client\ts3client_win64.exe[2480] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd4b2db0 5 bytes JMP 000007fefd4a0180 .text C:\PROGRAMY\TeamSpeak 3 Client\ts3client_win64.exe[2480] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4b37d0 7 bytes JMP 000007fefd4a00d8 .text C:\PROGRAMY\TeamSpeak 3 Client\ts3client_win64.exe[2480] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd4ba410 2 bytes JMP 000007fefd4a0110 .text C:\PROGRAMY\TeamSpeak 3 Client\ts3client_win64.exe[2480] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd4ba413 2 bytes [FE, FF] .text C:\PROGRAMY\TeamSpeak 3 Client\ts3client_win64.exe[2480] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd4baec0 6 bytes JMP 000007fefd4a0148 .text C:\PROGRAMY\TeamSpeak 3 Client\ts3client_win64.exe[2480] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff4989d0 8 bytes JMP 000007fefd4a01f0 .text C:\PROGRAMY\TeamSpeak 3 Client\ts3client_win64.exe[2480] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff49be40 8 bytes JMP 000007fefd4a01b8 .text C:\PROGRAMY\TeamSpeak 3 Client\ts3client_win64.exe[2480] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe1e74a0 11 bytes JMP 000007fefd4a0228 .text C:\PROGRAMY\TeamSpeak 3 Client\ts3client_win64.exe[2480] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe1fbf10 7 bytes JMP 000007fefd4a0260 .text C:\Windows\system32\notepad.exe[7200] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007734a460 7 bytes JMP 000000006fff0228 .text C:\Windows\system32\notepad.exe[7200] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077353f80 5 bytes JMP 000000006fff0180 .text C:\Windows\system32\notepad.exe[7200] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007736ffa0 5 bytes JMP 000000006fff01b8 .text C:\Windows\system32\notepad.exe[7200] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007737f330 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\notepad.exe[7200] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773a9a80 7 bytes JMP 000000006fff00d8 .text C:\Windows\system32\notepad.exe[7200] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773b9510 5 bytes JMP 000000006fff0148 .text C:\Windows\system32\notepad.exe[7200] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000773d8830 7 bytes JMP 000000006fff01f0 .text C:\Windows\system32\notepad.exe[7200] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd4b2db0 5 bytes JMP 000007fefd4a0180 .text C:\Windows\system32\notepad.exe[7200] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4b37d0 7 bytes JMP 000007fefd4a00d8 .text C:\Windows\system32\notepad.exe[7200] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd4ba410 2 bytes JMP 000007fefd4a0110 .text C:\Windows\system32\notepad.exe[7200] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd4ba413 2 bytes [FE, FF] .text C:\Windows\system32\notepad.exe[7200] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd4baec0 6 bytes JMP 000007fefd4a0148 .text C:\Windows\system32\notepad.exe[7200] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff4989d0 8 bytes JMP 000007fefd4a01f0 .text C:\Windows\system32\notepad.exe[7200] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff49be40 8 bytes JMP 000007fefd4a01b8 .text C:\Users\kieras\Downloads\316mxkdz.exe[3044] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075a81efe 7 bytes JMP 0000000070423910 .text C:\Users\kieras\Downloads\316mxkdz.exe[3044] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075a85b9d 7 bytes JMP 0000000070423f90 .text C:\Users\kieras\Downloads\316mxkdz.exe[3044] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075a913f9 7 bytes JMP 0000000070423ba0 .text C:\Users\kieras\Downloads\316mxkdz.exe[3044] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075a9ea45 7 bytes JMP 0000000070423900 .text C:\Users\kieras\Downloads\316mxkdz.exe[3044] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075b28f4c 7 bytes JMP 00000000704234a0 .text C:\Users\kieras\Downloads\316mxkdz.exe[3044] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075b28fd1 5 bytes JMP 0000000070423550 .text C:\Users\kieras\Downloads\316mxkdz.exe[3044] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075b29327 5 bytes JMP 00000000704234b0 .text C:\Users\kieras\Downloads\316mxkdz.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075d51d29 5 bytes JMP 0000000070423460 .text C:\Users\kieras\Downloads\316mxkdz.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075d51dd7 5 bytes JMP 0000000070423420 .text C:\Users\kieras\Downloads\316mxkdz.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075d52ab1 5 bytes JMP 0000000070423560 .text C:\Users\kieras\Downloads\316mxkdz.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075d52d1d 5 bytes JMP 0000000070423250 .text C:\Users\kieras\Downloads\316mxkdz.exe[3044] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007569d2b4 5 bytes JMP 0000000070422970 .text C:\Users\kieras\Downloads\316mxkdz.exe[3044] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007569d4ee 5 bytes JMP 0000000070422980 .text C:\Users\kieras\Downloads\316mxkdz.exe[3044] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075018a29 5 bytes JMP 0000000070422890 .text C:\Users\kieras\Downloads\316mxkdz.exe[3044] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075024572 5 bytes JMP 00000000704231d0 .text C:\Users\kieras\Downloads\316mxkdz.exe[3044] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007503e567 5 bytes JMP 0000000070423240 .text C:\Users\kieras\Downloads\316mxkdz.exe[3044] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000750607d7 5 bytes JMP 0000000070422710 .text C:\Users\kieras\Downloads\316mxkdz.exe[3044] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075077a5c 5 bytes JMP 00000000704231c0 ---- Processes - GMER 2.2 ---- Library C:\Users\kieras\Downloads\install_flashplayer_sr22.exe (*** suspicious ***) @ C:\Users\kieras\Downloads\install_flashplayer_sr22.exe [15512] 0000000000400000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{D0810D09-5C97-49C4-B22F-299A0DA07140}\Connection@Name isatap.{98214BB4-BEE4-4855-8DBB-829966092D57} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{F2E69A82-987A-4B0B-AC14-71801D6AC7BB}\Connection@Name isatap.{81A27997-B8D6-4432-A17E-4E594BD62E82} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{E888537A-68EF-4CCE-B905-2B65724EF8EA}?\Device\{F2E69A82-987A-4B0B-AC14-71801D6AC7BB}?\Device\{D0810D09-5C97-49C4-B22F-299A0DA07140}?\Device\{3BC78BC8-898C-45CC-ADFF-76F833A08446}?\Device\{8BFE03CE-4ACF-40D4-88E9-E943EE1A3FE9}?\Device\{17502930-27D2-44E0-B43C-5CB654478506}?\Device\{8394EA0E-F482-493E-9744-4FD4DCECF64D}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{E888537A-68EF-4CCE-B905-2B65724EF8EA}"?"{F2E69A82-987A-4B0B-AC14-71801D6AC7BB}"?"{D0810D09-5C97-49C4-B22F-299A0DA07140}"?"{3BC78BC8-898C-45CC-ADFF-76F833A08446}"?"{8BFE03CE-4ACF-40D4-88E9-E943EE1A3FE9}"?"{17502930-27D2-44E0-B43C-5CB654478506}"?"{8394EA0E-F482-493E-9744-4FD4DCECF64D}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{E888537A-68EF-4CCE-B905-2B65724EF8EA}?\Device\TCPIP6TUNNEL_{F2E69A82-987A-4B0B-AC14-71801D6AC7BB}?\Device\TCPIP6TUNNEL_{D0810D09-5C97-49C4-B22F-299A0DA07140}?\Device\TCPIP6TUNNEL_{3BC78BC8-898C-45CC-ADFF-76F833A08446}?\Device\TCPIP6TUNNEL_{8BFE03CE-4ACF-40D4-88E9-E943EE1A3FE9}?\Device\TCPIP6TUNNEL_{17502930-27D2-44E0-B43C-5CB654478506}?\Device\TCPIP6TUNNEL_{8394EA0E-F482-493E-9744-4FD4DCECF64D}? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14748951517202280@SetupOperations ?????????????v???m??????????????t?????8??m????????h???????P??m?????????e?????m???x??????????????????????????????Performance Counters for Windows Driver??????m???m??.NTAMD64?????????|??????????????????????????????????t????????????????????y?y?m?????o??????????????????????????????????????e??????????????m????????????????????????????????????????????2???????????h???????6??m????????h?????????????????????????????????t?????$?????????p????????????????m??????????????????????????????????????pujuaftu?t???m????????????????????????????????????????P??m????????h?????\SystemRoot\system32\drivers\pciide.sys?bf????(??m??????p???System Bus Extender???????R??m???????????d??mshdc.inf_amd64_neutral_a69a58a4286f0b22?????m?m?m?m?m?m?m??????????? ???????? ??:??????p????????????m??????????1.0.4.220????y?y???????? ??????g????????????????t????????????????????m???????????m?m?m?m???m?m???????????????????`?`?c?h?h?h?????????????????????????????5????:???????????h?????????????????????????????t???????????????????Tdx?tcpip?????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14748952306232280@SetupOperations ????????cdrom_install????????????????????????????????????????????n??Microsoft????????l???y???????y??C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe??????Intel(R) Management and Security Application Local Management Service???????????????????? ???m??????????????LocalSystem??????????m?????????n????????????????????????Allows applications to access the local Intel(R) Management and Security Application using its locally-available selected network interfaces.?????8??m????????h??????????????????????????????????v??tv???d?e?e?e?e?e?~?e?????????????????????????????m???????????????n?o?????????????m???????????????????????e??4???????????????t????????????_??????Tc???????????????????????????????:???:???~???????????????????????????????????:????????