GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-28 22:24:11 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10EADS-22M2B0 rev.01.00A01 931,51GB Running: k7102t0f.exe; Driver: C:\Users\oem\AppData\Local\Temp\pxtiqpow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 0000000049d90480 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 0000000049d90470 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 0000000049d90360 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 0000000049d90490 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 0000000049d903d0 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 0000000049d90310 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 0000000049d903a0 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 0000000049d90380 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0xffffffffd2904490} .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 0000000049d902d0 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 0000000049d902c0 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 0000000049d90300 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 0000000049d903b0 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 0000000049d90440 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 0000000049d903e0 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 0000000049d90220 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 0000000049d904a0 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 0000000049d90390 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 0000000049d902e0 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 0000000049d90340 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 0000000049d90280 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 0000000049d902a0 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 0000000049d903c0 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 0000000049d90320 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 0000000049d90410 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 0000000049d90230 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 0000000049d903f0 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 0000000049d901d0 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 0000000049d90240 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 0000000049d904b0 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 0000000049d904c0 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 0000000049d902f0 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 0000000049d90350 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 0000000049d90290 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 0000000049d902b0 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 0000000049d90370 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 0000000049d90330 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 0000000049d90460 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 0000000049d90420 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 0000000049d90250 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 0000000049d90260 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 0000000049d90400 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 0000000049d901e0 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 0000000049d90200 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 0000000049d901f0 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 0000000049d90430 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 0000000049d90450 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 0000000049d90210 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 0000000049d90270 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 0000000049d90480 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 0000000049d90470 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 0000000049d90360 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 0000000049d90490 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 0000000049d903d0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 0000000049d90310 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 0000000049d903a0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 0000000049d90380 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0xffffffffd2904490} .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 0000000049d902d0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 0000000049d902c0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 0000000049d90300 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 0000000049d903b0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 0000000049d90440 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 0000000049d903e0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 0000000049d90220 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 0000000049d904a0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 0000000049d90390 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 0000000049d902e0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 0000000049d90340 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 0000000049d90280 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 0000000049d902a0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 0000000049d903c0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 0000000049d90320 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 0000000049d90410 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 0000000049d90230 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 0000000049d903f0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 0000000049d901d0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 0000000049d90240 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 0000000049d904b0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 0000000049d904c0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 0000000049d902f0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 0000000049d90350 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 0000000049d90290 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 0000000049d902b0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 0000000049d90370 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 0000000049d90330 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 0000000049d90460 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 0000000049d90420 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 0000000049d90250 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 0000000049d90260 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 0000000049d90400 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 0000000049d901e0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 0000000049d90200 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 0000000049d901f0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 0000000049d90430 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 0000000049d90450 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 0000000049d90210 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 0000000049d90270 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 00000000775f0480 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 00000000775f0470 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 00000000775f0360 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 00000000775f0490 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000775f03d0 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 00000000775f0310 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000775f03a0 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 00000000775f0380 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000775f02d0 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000775f02c0 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 00000000775f0300 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000775f03b0 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 00000000775f0440 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000775f03e0 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 00000000775f0220 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000775f04a0 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 00000000775f0390 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000775f02e0 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 00000000775f0340 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 00000000775f0280 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000775f02a0 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000775f03c0 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 00000000775f0320 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 00000000775f0410 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 00000000775f0230 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000775f03f0 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000775f01d0 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 00000000775f0240 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000775f04b0 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000775f04c0 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000775f02f0 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 00000000775f0350 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 00000000775f0290 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000775f02b0 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 00000000775f0370 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 00000000775f0330 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 00000000775f0460 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 00000000775f0420 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 00000000775f0250 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 00000000775f0260 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 00000000775f0400 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000775f01e0 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 00000000775f0200 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000775f01f0 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 00000000775f0430 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 00000000775f0450 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 00000000775f0210 .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 00000000775f0270 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0xffffffff88be4490} .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\lsm.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 00000000775f0480 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 00000000775f0470 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 00000000775f0360 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 00000000775f0490 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000775f03d0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 00000000775f0310 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000775f03a0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 00000000775f0380 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000775f02d0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000775f02c0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 00000000775f0300 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000775f03b0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 00000000775f0440 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000775f03e0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 00000000775f0220 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000775f04a0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 00000000775f0390 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000775f02e0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 00000000775f0340 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 00000000775f0280 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000775f02a0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000775f03c0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 00000000775f0320 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 00000000775f0410 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 00000000775f0230 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000775f03f0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000775f01d0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 00000000775f0240 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000775f04b0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000775f04c0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000775f02f0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 00000000775f0350 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 00000000775f0290 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000775f02b0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 00000000775f0370 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 00000000775f0330 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 00000000775f0460 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 00000000775f0420 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 00000000775f0250 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 00000000775f0260 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 00000000775f0400 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000775f01e0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 00000000775f0200 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000775f01f0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 00000000775f0430 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 00000000775f0450 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 00000000775f0210 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 00000000775f0270 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 00000000775f0480 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 00000000775f0470 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 00000000775f0360 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 00000000775f0490 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000775f03d0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 00000000775f0310 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000775f03a0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 00000000775f0380 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000775f02d0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000775f02c0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 00000000775f0300 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000775f03b0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 00000000775f0440 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000775f03e0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 00000000775f0220 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000775f04a0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 00000000775f0390 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000775f02e0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 00000000775f0340 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 00000000775f0280 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000775f02a0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000775f03c0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 00000000775f0320 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 00000000775f0410 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 00000000775f0230 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000775f03f0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000775f01d0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 00000000775f0240 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000775f04b0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000775f04c0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000775f02f0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 00000000775f0350 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 00000000775f0290 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000775f02b0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 00000000775f0370 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 00000000775f0330 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 00000000775f0460 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 00000000775f0420 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 00000000775f0250 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 00000000775f0260 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 00000000775f0400 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000775f01e0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 00000000775f0200 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000775f01f0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 00000000775f0430 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 00000000775f0450 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 00000000775f0210 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 00000000775f0270 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 00000000775f0480 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 00000000775f0470 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 00000000775f0360 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 00000000775f0490 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000775f03d0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 00000000775f0310 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000775f03a0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 00000000775f0380 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000775f02d0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000775f02c0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 00000000775f0300 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000775f03b0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 00000000775f0440 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000775f03e0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 00000000775f0220 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000775f04a0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 00000000775f0390 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000775f02e0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 00000000775f0340 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 00000000775f0280 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000775f02a0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000775f03c0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 00000000775f0320 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 00000000775f0410 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 00000000775f0230 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000775f03f0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000775f01d0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 00000000775f0240 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000775f04b0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000775f04c0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000775f02f0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 00000000775f0350 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 00000000775f0290 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000775f02b0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 00000000775f0370 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 00000000775f0330 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 00000000775f0460 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 00000000775f0420 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 00000000775f0250 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 00000000775f0260 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 00000000775f0400 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000775f01e0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 00000000775f0200 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000775f01f0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 00000000775f0430 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 00000000775f0450 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 00000000775f0210 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 00000000775f0270 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 00000000775f0480 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 00000000775f0470 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 00000000775f0360 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 00000000775f0490 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000775f03d0 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 00000000775f0310 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000775f03a0 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 00000000775f0380 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000775f02d0 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000775f02c0 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 00000000775f0300 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000775f03b0 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 00000000775f0440 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000775f03e0 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 00000000775f0220 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000775f04a0 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 00000000775f0390 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000775f02e0 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 00000000775f0340 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 00000000775f0280 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000775f02a0 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000775f03c0 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 00000000775f0320 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 00000000775f0410 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 00000000775f0230 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000775f03f0 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000775f01d0 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 00000000775f0240 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000775f04b0 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000775f04c0 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000775f02f0 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 00000000775f0350 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 00000000775f0290 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000775f02b0 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 00000000775f0370 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 00000000775f0330 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 00000000775f0460 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 00000000775f0420 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 00000000775f0250 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 00000000775f0260 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 00000000775f0400 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000775f01e0 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 00000000775f0200 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000775f01f0 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 00000000775f0430 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 00000000775f0450 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 00000000775f0210 .text C:\Windows\System32\svchost.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 00000000775f0270 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0xffffffff88be4490} .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 00000000775f0480 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 00000000775f0470 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 00000000775f0360 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 00000000775f0490 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000775f03d0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 00000000775f0310 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000775f03a0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 00000000775f0380 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000775f02d0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000775f02c0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 00000000775f0300 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000775f03b0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 00000000775f0440 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000775f03e0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 00000000775f0220 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000775f04a0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 00000000775f0390 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000775f02e0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 00000000775f0340 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 00000000775f0280 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000775f02a0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000775f03c0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 00000000775f0320 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 00000000775f0410 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 00000000775f0230 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000775f03f0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000775f01d0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 00000000775f0240 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000775f04b0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000775f04c0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000775f02f0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 00000000775f0350 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 00000000775f0290 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000775f02b0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 00000000775f0370 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 00000000775f0330 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 00000000775f0460 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 00000000775f0420 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 00000000775f0250 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 00000000775f0260 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 00000000775f0400 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000775f01e0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 00000000775f0200 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000775f01f0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 00000000775f0430 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 00000000775f0450 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 00000000775f0210 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 00000000775f0270 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 00000000775f0480 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 00000000775f0470 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 00000000775f0360 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 00000000775f0490 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000775f03d0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 00000000775f0310 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000775f03a0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 00000000775f0380 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000775f02d0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000775f02c0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 00000000775f0300 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000775f03b0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 00000000775f0440 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000775f03e0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 00000000775f0220 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000775f04a0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 00000000775f0390 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000775f02e0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 00000000775f0340 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 00000000775f0280 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000775f02a0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000775f03c0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 00000000775f0320 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 00000000775f0410 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 00000000775f0230 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000775f03f0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000775f01d0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 00000000775f0240 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000775f04b0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000775f04c0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000775f02f0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 00000000775f0350 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 00000000775f0290 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000775f02b0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 00000000775f0370 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 00000000775f0330 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 00000000775f0460 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 00000000775f0420 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 00000000775f0250 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 00000000775f0260 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 00000000775f0400 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000775f01e0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 00000000775f0200 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000775f01f0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 00000000775f0430 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 00000000775f0450 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 00000000775f0210 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 00000000775f0270 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 00000000775f0480 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 00000000775f0470 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 00000000775f0360 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 00000000775f0490 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000775f03d0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 00000000775f0310 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000775f03a0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 00000000775f0380 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000775f02d0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000775f02c0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 00000000775f0300 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000775f03b0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 00000000775f0440 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000775f03e0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 00000000775f0220 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000775f04a0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 00000000775f0390 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000775f02e0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 00000000775f0340 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 00000000775f0280 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000775f02a0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000775f03c0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 00000000775f0320 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 00000000775f0410 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 00000000775f0230 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000775f03f0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000775f01d0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 00000000775f0240 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000775f04b0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000775f04c0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000775f02f0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 00000000775f0350 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 00000000775f0290 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000775f02b0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 00000000775f0370 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 00000000775f0330 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 00000000775f0460 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 00000000775f0420 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 00000000775f0250 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 00000000775f0260 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 00000000775f0400 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000775f01e0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 00000000775f0200 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000775f01f0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 00000000775f0430 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 00000000775f0450 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 00000000775f0210 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 00000000775f0270 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 00000000775f0480 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 00000000775f0470 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 00000000775f0360 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 00000000775f0490 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000775f03d0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 00000000775f0310 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000775f03a0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 00000000775f0380 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000775f02d0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000775f02c0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 00000000775f0300 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000775f03b0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 00000000775f0440 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000775f03e0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 00000000775f0220 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000775f04a0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 00000000775f0390 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000775f02e0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 00000000775f0340 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 00000000775f0280 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000775f02a0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000775f03c0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 00000000775f0320 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 00000000775f0410 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 00000000775f0230 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000775f03f0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000775f01d0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 00000000775f0240 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000775f04b0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000775f04c0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000775f02f0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 00000000775f0350 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 00000000775f0290 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000775f02b0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 00000000775f0370 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 00000000775f0330 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 00000000775f0460 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 00000000775f0420 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 00000000775f0250 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 00000000775f0260 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 00000000775f0400 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000775f01e0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 00000000775f0200 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000775f01f0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 00000000775f0430 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 00000000775f0450 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 00000000775f0210 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 00000000775f0270 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 00000000775f0480 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 00000000775f0470 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 00000000775f0360 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 00000000775f0490 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000775f03d0 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 00000000775f0310 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000775f03a0 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 00000000775f0380 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000775f02d0 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000775f02c0 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 00000000775f0300 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000775f03b0 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 00000000775f0440 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000775f03e0 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 00000000775f0220 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000775f04a0 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 00000000775f0390 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000775f02e0 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 00000000775f0340 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 00000000775f0280 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000775f02a0 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000775f03c0 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 00000000775f0320 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 00000000775f0410 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 00000000775f0230 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000775f03f0 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000775f01d0 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 00000000775f0240 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000775f04b0 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000775f04c0 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000775f02f0 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 00000000775f0350 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 00000000775f0290 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000775f02b0 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 00000000775f0370 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 00000000775f0330 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 00000000775f0460 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 00000000775f0420 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 00000000775f0250 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 00000000775f0260 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 00000000775f0400 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000775f01e0 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 00000000775f0200 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000775f01f0 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 00000000775f0430 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 00000000775f0450 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 00000000775f0210 .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 00000000775f0270 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 00000000775f0480 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 00000000775f0470 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 00000000775f0360 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 00000000775f0490 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000775f03d0 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 00000000775f0310 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000775f03a0 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 00000000775f0380 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000775f02d0 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000775f02c0 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 00000000775f0300 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000775f03b0 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 00000000775f0440 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000775f03e0 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 00000000775f0220 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000775f04a0 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 00000000775f0390 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000775f02e0 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 00000000775f0340 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 00000000775f0280 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000775f02a0 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000775f03c0 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 00000000775f0320 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 00000000775f0410 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 00000000775f0230 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000775f03f0 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000775f01d0 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 00000000775f0240 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000775f04b0 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000775f04c0 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000775f02f0 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 00000000775f0350 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 00000000775f0290 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000775f02b0 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 00000000775f0370 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 00000000775f0330 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 00000000775f0460 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 00000000775f0420 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 00000000775f0250 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 00000000775f0260 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 00000000775f0400 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000775f01e0 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 00000000775f0200 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000775f01f0 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 00000000775f0430 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 00000000775f0450 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 00000000775f0210 .text C:\Windows\system32\Dwm.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 00000000775f0270 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 0000000000070470 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 0000000000070360 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 0000000000070490 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 0000000000070310 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 0000000000070380 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0xffffffff88be4490} .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000000703b0 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 0000000000070440 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000000703e0 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000000704a0 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000000702e0 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 0000000000070280 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000000702a0 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 0000000000070410 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 0000000000070230 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000000703f0 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000000701d0 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 0000000000070350 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 0000000000070290 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 0000000000070370 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 0000000000070330 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 0000000000070460 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 0000000000070250 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 0000000000070260 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 0000000000070400 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000000701e0 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 0000000000070200 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 0000000000070430 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 0000000000070450 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 0000000000070210 .text C:\Windows\Explorer.EXE[1176] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 0000000000070270 .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bb1401 2 bytes JMP 76acb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bb1419 2 bytes JMP 76acb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bb1431 2 bytes JMP 76b490f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bb144a 2 bytes CALL 76aa48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bb14dd 2 bytes JMP 76b489ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bb14f5 2 bytes JMP 76b48bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bb150d 2 bytes JMP 76b488e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bb1525 2 bytes JMP 76b48caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bb153d 2 bytes JMP 76abfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bb1555 2 bytes JMP 76ac6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bb156d 2 bytes JMP 76b491a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bb1585 2 bytes JMP 76b48d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bb159d 2 bytes JMP 76b488a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bb15b5 2 bytes JMP 76abfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bb15cd 2 bytes JMP 76acb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bb16b2 2 bytes JMP 76b4906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bb16bd 2 bytes JMP 76b48839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 00000000775f0480 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 00000000775f0470 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 00000000775f0360 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 00000000775f0490 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000775f03d0 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 00000000775f0310 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000775f03a0 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 00000000775f0380 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000775f02d0 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000775f02c0 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 00000000775f0300 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000775f03b0 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 00000000775f0440 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000775f03e0 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 00000000775f0220 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000775f04a0 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 00000000775f0390 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000775f02e0 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 00000000775f0340 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 00000000775f0280 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000775f02a0 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000775f03c0 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 00000000775f0320 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 00000000775f0410 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 00000000775f0230 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000775f03f0 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000775f01d0 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 00000000775f0240 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000775f04b0 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000775f04c0 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000775f02f0 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 00000000775f0350 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 00000000775f0290 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000775f02b0 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 00000000775f0370 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 00000000775f0330 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 00000000775f0460 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 00000000775f0420 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 00000000775f0250 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 00000000775f0260 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 00000000775f0400 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000775f01e0 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 00000000775f0200 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000775f01f0 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 00000000775f0430 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 00000000775f0450 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 00000000775f0210 .text C:\Windows\System32\svchost.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 00000000775f0270 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 00000000775f0480 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 00000000775f0470 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 00000000775f0360 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 00000000775f0490 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000775f03d0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 00000000775f0310 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000775f03a0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 00000000775f0380 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000775f02d0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000775f02c0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 00000000775f0300 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000775f03b0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 00000000775f0440 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000775f03e0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 00000000775f0220 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000775f04a0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 00000000775f0390 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000775f02e0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 00000000775f0340 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 00000000775f0280 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000775f02a0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000775f03c0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 00000000775f0320 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 00000000775f0410 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 00000000775f0230 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000775f03f0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000775f01d0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 00000000775f0240 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000775f04b0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000775f04c0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000775f02f0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 00000000775f0350 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 00000000775f0290 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000775f02b0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 00000000775f0370 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 00000000775f0330 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 00000000775f0460 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 00000000775f0420 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 00000000775f0250 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 00000000775f0260 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 00000000775f0400 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000775f01e0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 00000000775f0200 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000775f01f0 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 00000000775f0430 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 00000000775f0450 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 00000000775f0210 .text C:\Windows\System32\svchost.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 00000000775f0270 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 00000000775f0480 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 00000000775f0470 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 00000000775f0360 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 00000000775f0490 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000775f03d0 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 00000000775f0310 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000775f03a0 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 00000000775f0380 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000775f02d0 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000775f02c0 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 00000000775f0300 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000775f03b0 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 00000000775f0440 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000775f03e0 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 00000000775f0220 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000775f04a0 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 00000000775f0390 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000775f02e0 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 00000000775f0340 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 00000000775f0280 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000775f02a0 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000775f03c0 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 00000000775f0320 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 00000000775f0410 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 00000000775f0230 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000775f03f0 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000775f01d0 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 00000000775f0240 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000775f04b0 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000775f04c0 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000775f02f0 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 00000000775f0350 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 00000000775f0290 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000775f02b0 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 00000000775f0370 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 00000000775f0330 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 00000000775f0460 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 00000000775f0420 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 00000000775f0250 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 00000000775f0260 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 00000000775f0400 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000775f01e0 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 00000000775f0200 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000775f01f0 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 00000000775f0430 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 00000000775f0450 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 00000000775f0210 .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 00000000775f0270 .text C:\Windows\SysWOW64\PnkBstrA.exe[2952] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000732917fa 2 bytes CALL 76aa11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2952] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000073291860 2 bytes CALL 76aa11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2952] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000073291942 2 bytes JMP 75937089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2952] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 000000007329194d 2 bytes JMP 7593cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3056] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076bb1401 2 bytes JMP 76acb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3056] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076bb1419 2 bytes JMP 76acb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3056] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076bb1431 2 bytes JMP 76b490f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3056] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000076bb144a 2 bytes CALL 76aa48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3056] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000076bb14dd 2 bytes JMP 76b489ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3056] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000076bb14f5 2 bytes JMP 76b48bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3056] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000076bb150d 2 bytes JMP 76b488e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3056] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076bb1525 2 bytes JMP 76b48caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3056] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000076bb153d 2 bytes JMP 76abfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3056] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076bb1555 2 bytes JMP 76ac6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3056] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000076bb156d 2 bytes JMP 76b491a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3056] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076bb1585 2 bytes JMP 76b48d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3056] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000076bb159d 2 bytes JMP 76b488a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3056] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000076bb15b5 2 bytes JMP 76abfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3056] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000076bb15cd 2 bytes JMP 76acb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3056] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000076bb16b2 2 bytes JMP 76b4906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3056] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000076bb16bd 2 bytes JMP 76b48839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 00000000775f0480 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 00000000775f0470 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 00000000775f0360 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 00000000775f0490 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000775f03d0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 00000000775f0310 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000775f03a0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 00000000775f0380 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000775f02d0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000775f02c0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 00000000775f0300 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000775f03b0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 00000000775f0440 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000775f03e0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 00000000775f0220 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000775f04a0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 00000000775f0390 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000775f02e0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 00000000775f0340 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 00000000775f0280 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000775f02a0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000775f03c0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 00000000775f0320 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 00000000775f0410 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 00000000775f0230 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000775f03f0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000775f01d0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 00000000775f0240 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000775f04b0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000775f04c0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000775f02f0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 00000000775f0350 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 00000000775f0290 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000775f02b0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 00000000775f0370 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 00000000775f0330 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 00000000775f0460 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 00000000775f0420 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 00000000775f0250 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 00000000775f0260 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 00000000775f0400 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000775f01e0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 00000000775f0200 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000775f01f0 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 00000000775f0430 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 00000000775f0450 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 00000000775f0210 .text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 00000000775f0270 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 00000000775f0480 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 00000000775f0470 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 00000000775f0360 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 00000000775f0490 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000775f03d0 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 00000000775f0310 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000775f03a0 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 00000000775f0380 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000775f02d0 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000775f02c0 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 00000000775f0300 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000775f03b0 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 00000000775f0440 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000775f03e0 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 00000000775f0220 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000775f04a0 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 00000000775f0390 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000775f02e0 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 00000000775f0340 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 00000000775f0280 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000775f02a0 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000775f03c0 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 00000000775f0320 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 00000000775f0410 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 00000000775f0230 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000775f03f0 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000775f01d0 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 00000000775f0240 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000775f04b0 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000775f04c0 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000775f02f0 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 00000000775f0350 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 00000000775f0290 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000775f02b0 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 00000000775f0370 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 00000000775f0330 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 00000000775f0460 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 00000000775f0420 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 00000000775f0250 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 00000000775f0260 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 00000000775f0400 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000775f01e0 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 00000000775f0200 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000775f01f0 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 00000000775f0430 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 00000000775f0450 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 00000000775f0210 .text C:\Windows\system32\svchost.exe[3548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 00000000775f0270 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 00000000775f0480 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 00000000775f0470 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 00000000775f0360 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 00000000775f0490 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000775f03d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 00000000775f0310 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000775f03a0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 00000000775f0380 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000775f02d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000775f02c0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 00000000775f0300 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000775f03b0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 00000000775f0440 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000775f03e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 00000000775f0220 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000775f04a0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 00000000775f0390 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000775f02e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 00000000775f0340 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 00000000775f0280 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000775f02a0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000775f03c0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 00000000775f0320 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 00000000775f0410 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 00000000775f0230 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000775f03f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000775f01d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 00000000775f0240 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000775f04b0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000775f04c0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000775f02f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 00000000775f0350 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 00000000775f0290 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000775f02b0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 00000000775f0370 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 00000000775f0330 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 00000000775f0460 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 00000000775f0420 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 00000000775f0250 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 00000000775f0260 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 00000000775f0400 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000775f01e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 00000000775f0200 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000775f01f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 00000000775f0430 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 00000000775f0450 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 00000000775f0210 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 00000000775f0270 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 0000000000070470 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 0000000000070360 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 0000000000070490 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 0000000000070310 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 0000000000070380 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0xffffffff88be4490} .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 0000000000070440 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 0000000000070280 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000000702a0 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 0000000000070410 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 0000000000070230 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000000703f0 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000000701d0 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 0000000000070350 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 0000000000070290 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 0000000000070370 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 0000000000070330 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 0000000000070460 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 0000000000070250 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 0000000000070260 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 0000000000070400 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 0000000000070200 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 0000000000070430 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 0000000000070450 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 0000000000070210 .text C:\Windows\System32\svchost.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007748bbe0 5 bytes JMP 00000000775f0480 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007748bc30 5 bytes JMP 00000000775f0470 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 5 bytes JMP 00000000775f0360 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007748bde0 5 bytes JMP 00000000775f0490 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007748bdf0 5 bytes JMP 00000000775f03d0 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007748bea0 5 bytes JMP 00000000775f0310 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007748bed0 5 bytes JMP 00000000775f03a0 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007748bef0 1 byte JMP 00000000775f0380 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007748bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007748bf30 5 bytes JMP 00000000775f02d0 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007748bfb0 5 bytes JMP 00000000775f02c0 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007748bfd0 5 bytes JMP 00000000775f0300 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007748c010 5 bytes JMP 00000000775f03b0 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007748c050 5 bytes JMP 00000000775f0440 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007748c060 5 bytes JMP 00000000775f03e0 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007748c1c0 5 bytes JMP 00000000775f0220 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007748c380 5 bytes JMP 00000000775f04a0 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007748c3b0 5 bytes JMP 00000000775f0390 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007748c490 5 bytes JMP 00000000775f02e0 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007748c4a0 5 bytes JMP 00000000775f0340 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007748c500 5 bytes JMP 00000000775f0280 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007748c590 5 bytes JMP 00000000775f02a0 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007748c5b0 5 bytes JMP 00000000775f03c0 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007748c5c0 5 bytes JMP 00000000775f0320 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007748c630 5 bytes JMP 00000000775f0410 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007748c660 5 bytes JMP 00000000775f0230 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007748c800 5 bytes JMP 00000000775f03f0 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007748c920 5 bytes JMP 00000000775f01d0 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007748c9e0 5 bytes JMP 00000000775f0240 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007748ca10 5 bytes JMP 00000000775f04b0 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007748ca20 5 bytes JMP 00000000775f04c0 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007748ca50 5 bytes JMP 00000000775f02f0 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007748ca60 5 bytes JMP 00000000775f0350 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007748cac0 5 bytes JMP 00000000775f0290 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007748cb10 5 bytes JMP 00000000775f02b0 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 5 bytes JMP 00000000775f0370 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007748cb50 5 bytes JMP 00000000775f0330 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007748ce40 5 bytes JMP 00000000775f0460 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007748cfa0 5 bytes JMP 00000000775f0420 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007748d040 5 bytes JMP 00000000775f0250 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007748d050 5 bytes JMP 00000000775f0260 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007748d060 5 bytes JMP 00000000775f0400 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007748d220 5 bytes JMP 00000000775f01e0 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007748d230 5 bytes JMP 00000000775f0200 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007748d2a0 5 bytes JMP 00000000775f01f0 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007748d300 5 bytes JMP 00000000775f0430 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007748d310 5 bytes JMP 00000000775f0450 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007748d320 5 bytes JMP 00000000775f0210 .text C:\Windows\system32\DllHost.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007748d400 5 bytes JMP 00000000775f0270 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4904] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076aa8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4904] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bb1401 2 bytes JMP 76acb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4904] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bb1419 2 bytes JMP 76acb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4904] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bb1431 2 bytes JMP 76b490f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4904] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bb144a 2 bytes CALL 76aa48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4904] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bb14dd 2 bytes JMP 76b489ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4904] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bb14f5 2 bytes JMP 76b48bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4904] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bb150d 2 bytes JMP 76b488e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4904] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bb1525 2 bytes JMP 76b48caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4904] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bb153d 2 bytes JMP 76abfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4904] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bb1555 2 bytes JMP 76ac6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4904] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bb156d 2 bytes JMP 76b491a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4904] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bb1585 2 bytes JMP 76b48d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4904] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bb159d 2 bytes JMP 76b488a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4904] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bb15b5 2 bytes JMP 76abfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4904] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bb15cd 2 bytes JMP 76acb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4904] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bb16b2 2 bytes JMP 76b4906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4904] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bb16bd 2 bytes JMP 76b48839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Solvusoft\Tray\SolvusoftTray.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bb1401 2 bytes JMP 76acb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Solvusoft\Tray\SolvusoftTray.exe[4416] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bb1419 2 bytes JMP 76acb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Solvusoft\Tray\SolvusoftTray.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bb1431 2 bytes JMP 76b490f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Solvusoft\Tray\SolvusoftTray.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bb144a 2 bytes CALL 76aa48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Solvusoft\Tray\SolvusoftTray.exe[4416] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bb14dd 2 bytes JMP 76b489ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Solvusoft\Tray\SolvusoftTray.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bb14f5 2 bytes JMP 76b48bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Solvusoft\Tray\SolvusoftTray.exe[4416] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bb150d 2 bytes JMP 76b488e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Solvusoft\Tray\SolvusoftTray.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bb1525 2 bytes JMP 76b48caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Solvusoft\Tray\SolvusoftTray.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bb153d 2 bytes JMP 76abfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Solvusoft\Tray\SolvusoftTray.exe[4416] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bb1555 2 bytes JMP 76ac6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Solvusoft\Tray\SolvusoftTray.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bb156d 2 bytes JMP 76b491a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Solvusoft\Tray\SolvusoftTray.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bb1585 2 bytes JMP 76b48d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Solvusoft\Tray\SolvusoftTray.exe[4416] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bb159d 2 bytes JMP 76b488a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Solvusoft\Tray\SolvusoftTray.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bb15b5 2 bytes JMP 76abfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Solvusoft\Tray\SolvusoftTray.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bb15cd 2 bytes JMP 76acb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Solvusoft\Tray\SolvusoftTray.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bb16b2 2 bytes JMP 76b4906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Solvusoft\Tray\SolvusoftTray.exe[4416] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bb16bd 2 bytes JMP 76b48839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077462170 5 bytes JMP 00000000002b075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077465be0 5 bytes JMP 00000000002b03a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007748bdb0 14 bytes {MOV RAX, 0x7fefa4c7214; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5052] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077462170 5 bytes JMP 00000000002f075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5052] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077465be0 5 bytes JMP 00000000002f03a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4548] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077462170 5 bytes JMP 000000000031075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4548] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077465be0 5 bytes JMP 00000000003103a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077462170 5 bytes JMP 000000000009075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077465be0 5 bytes JMP 00000000000903a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007748bc00 7 bytes [48, B8, 54, EE, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007748bc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007748bd70 7 bytes [48, B8, C8, EE, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007748bd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 7 bytes [48, B8, 74, F2, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007748bd98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007748bda0 7 bytes [48, B8, 78, F0, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007748bda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007748bdb0 7 bytes [48, B8, 38, ED, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007748bdb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007748bdd0 7 bytes [48, B8, A4, ED, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007748bdd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007748be20 7 bytes [48, B8, 38, EF, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007748be28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007748be30 7 bytes [48, B8, B0, F2, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007748be38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007748be60 7 bytes [48, B8, 1C, F0, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007748be68 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007748bf00 7 bytes [48, B8, 50, F0, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007748bf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007748c080 7 bytes [48, B8, A8, EF, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007748c088 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007748caf0 7 bytes [48, B8, 98, F2, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007748caf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 7 bytes [48, B8, 50, F2, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007748cb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007748cc90 7 bytes [48, B8, 64, F0, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007748cc98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077462170 5 bytes JMP 000000000040075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077465be0 5 bytes JMP 00000000004003a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007748bc00 7 bytes [48, B8, 54, EE, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007748bc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007748bd70 7 bytes [48, B8, C8, EE, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007748bd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 7 bytes [48, B8, 74, F2, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007748bd98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007748bda0 7 bytes [48, B8, 78, F0, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007748bda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007748bdb0 7 bytes [48, B8, 38, ED, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007748bdb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007748bdd0 7 bytes [48, B8, A4, ED, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007748bdd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007748be20 7 bytes [48, B8, 38, EF, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007748be28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007748be30 7 bytes [48, B8, B0, F2, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007748be38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007748be60 7 bytes [48, B8, 1C, F0, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007748be68 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007748bf00 7 bytes [48, B8, 50, F0, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007748bf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007748c080 7 bytes [48, B8, A8, EF, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007748c088 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007748caf0 7 bytes [48, B8, 98, F2, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007748caf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 7 bytes [48, B8, 50, F2, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007748cb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007748cc90 7 bytes [48, B8, 64, F0, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007748cc98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077462170 5 bytes JMP 00000000004b075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077465be0 5 bytes JMP 00000000004b03a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007748bc00 7 bytes [48, B8, 54, EE, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007748bc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007748bd70 7 bytes [48, B8, C8, EE, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007748bd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 7 bytes [48, B8, 74, F2, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007748bd98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007748bda0 7 bytes [48, B8, 78, F0, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007748bda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007748bdb0 7 bytes [48, B8, 38, ED, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007748bdb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007748bdd0 7 bytes [48, B8, A4, ED, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007748bdd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007748be20 7 bytes [48, B8, 38, EF, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007748be28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007748be30 7 bytes [48, B8, B0, F2, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007748be38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007748be60 7 bytes [48, B8, 1C, F0, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007748be68 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007748bf00 7 bytes [48, B8, 50, F0, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007748bf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007748c080 7 bytes [48, B8, A8, EF, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007748c088 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007748caf0 7 bytes [48, B8, 98, F2, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007748caf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 7 bytes [48, B8, 50, F2, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007748cb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007748cc90 7 bytes [48, B8, 64, F0, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007748cc98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077462170 5 bytes JMP 000000000038075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077465be0 5 bytes JMP 00000000003803a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007748bc00 7 bytes [48, B8, 54, EE, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007748bc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007748bd70 7 bytes [48, B8, C8, EE, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007748bd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007748bd90 7 bytes [48, B8, 74, F2, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007748bd98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007748bda0 7 bytes [48, B8, 78, F0, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007748bda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007748bdb0 7 bytes [48, B8, 38, ED, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 000000007748bdb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007748bdd0 7 bytes [48, B8, A4, ED, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 000000007748bdd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007748be20 7 bytes [48, B8, 38, EF, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007748be28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007748be30 7 bytes [48, B8, B0, F2, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007748be38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007748be60 7 bytes [48, B8, 1C, F0, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007748be68 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007748bf00 7 bytes [48, B8, 50, F0, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007748bf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007748c080 7 bytes [48, B8, A8, EF, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007748c088 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007748caf0 7 bytes [48, B8, 98, F2, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007748caf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007748cb40 7 bytes [48, B8, 50, F2, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007748cb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007748cc90 7 bytes [48, B8, 64, F0, 88, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007748cc98 6 bytes {ADD [RAX], AL; JMP RAX} ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fed852eef8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fed852e73c] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fed852eee0] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fed852f12c] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3528] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fed76a1ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fed852eef8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fed852e73c] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fed852eee0] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fed852f12c] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2980] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fed76a1ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fed852eef8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fed852e73c] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fed852eee0] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fed852f12c] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3988] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fed76a1ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll ---- Threads - GMER 2.2 ---- Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:2824] 0000000077677ad8 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:2832] 0000000077671697 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3252] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3256] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3260] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3264] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3268] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3272] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3276] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3280] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3284] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3288] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3408] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3412] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3416] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3420] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3428] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3432] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3436] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3444] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3448] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3452] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3460] 0000000077677ad8 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3472] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3488] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3492] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3496] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3524] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3800] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:3804] 000000006e2b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2500:4404] 000000006e2b29e1 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14843859985872280@SetupOperations ????????????st??? ???????,????????????????????????%??????????E??? ??????????????????????????????N???????d6???????&???????????\???e??bttgiuue?s???????????w???\???????????\?????s20???????????d??s???LegacyDriver?F????N??????S????Dre\??{8ECC055D-047F-11D1-A537-0000F8753ED1}?:\P??? ???????s?????T S??bttgiuue?s??????????????20??????????@volsnap.inf,%storage\volumesnapshot.devicedesc%;Rodzajowa kopia w tle wolumin?w?????????????s?????????????n?h?????????????????????????n?????????????t???????????????????????v???????????.???????????|???????????????????????????????????????????????????????????????????????????????????-?????????????n-0???????????????????????????????????????|???????????????????????5???????????n??????????????????????ep????H??????????????????????)??H?????????????????????????????????????????H?????????????????????????H????????????????????????????????????????#H????????????????????????)????H????????????????????????????????????????#H????????????????????????)????H?????????????????????????????????????????H???????? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14843860788982280@SetupOperations ????????@volsnap.inf,%storage\volumesnapshot.devicedesc%;Rodzajowa kopia w tle wolumin?w?????????????s?????????????n?h?????????????????????????n?????????????t???????????????????????v???????????.???????????|???????????????????????????????????????????????????????????????????????????????????-?????????????n-0???????????????????????????????????????|???????????????????????5???????????n??????????????????????ep????H??????????????????????)??H?????????????????????????????????????????H?????????????????????????H????????????????????????????????????????#H????????????????????????)????H????????????????????????????????????????#H????????????????????????)????H?????????????????????????????????????????H??????????????????????z?z?{`|?|??????????????????????????????????H????????????????????????????????????s??H???????????????????????????????????????H?????????????????????????????????????????R????????????n????? ???????????????????????????? ??????????????????????????????\???????s??????????as??????????????????????????????????? ????????? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14843859985872280@SetupOperations ?????`???????????????????????y???????????????t???y????????????????????>???????????????????8??????t???????t???????????I???I??????????? ???????_??????????LegacyDriver?????????f???.??s????????????o??wa???????\??usb\unknown??????????????????????? ?????????????winusb.sys??ST???????????7??????????????bd???????????S????????????????????????????????????????????????????????????????????????????????"?????????????Port_#0001.Hub_#0004???????????????????s????{745a17a0-74d3-11d0-b6fe-00a0c90f57da}??\C??\C????N??????????????????????????????????T??of??UDisk ????Microsoft???Microsoft?????B??????}???????????????1??85???????????????????b?b?b?b?b?b?????????????t???????????????V??T ???????????a??\a??????????????????????????@usb.inf,%usb\composite.devicedesc%;Urz?dzenie kompozytowe USB?006???????????t???????????????????????$???????i???????????????????y??USB\VID_09DA&PID_9090&REV_0191&MI_01?USB\VID_09DA&PID_9090&MI_01?????????????8???8??wpdmtp.inf????????????????????????B?????????????????????????????????????????????Composi Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14843860788982280@SetupOperations ????????aswHdsKe?l????N???????????????????B??????v??????? ??????????????????Microsoft????????????j???????????/??????????? ???????????????s??? ???????????????a??????????????????????EraserUtilDrv11220??????? ???z???i?????e?u????$??????s??c.??????????????????disk.inf?????????????b???d???????????t??????????????????????????????????????????????????? ???????T?????6????? ???????f?????g?~???~??6.1.7600.16385??????6.1.7601.17514?nam???????????}???????????????????????l??\a??Basic_Install???????????????????????????@oem11.inf,%mfg%;Hewlett-Packard?????????????????????????\?????????????????s?????????????????????????????,???????/?/?/?/?.?T?U?T?B?U?\?d?\??acpi.inf_amd64_neutral_2a841284c9de8962??????/?/?/?W?W?Z?\?_?Z?_?_?_?B???\?d?????????????r?????sI????????????????????????????????????????????U?_?_?`?`?`?`?`???`?????????????9???????????????A?? S??DiskDrive???LegacyDriver????wcsugvvt?????n??????????????????????????t???.NT?????usb\composite????????????4??????????????60??????????????l?????X??????/???.??????????????????????? ? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3C996033-0C53-06E3-2622-D7C2F56A739D} ---- EOF - GMER 2.2 ----