GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-06 15:02:19 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.0006SDM2 465,76GB Running: 3rbjsiyh.exe; Driver: C:\Users\Natalia\AppData\Local\Temp\pxloqpow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 544 fffff80002db8000 93 bytes [89, 6C, 24, 70, E9, 4B, FF, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 638 fffff80002db805e 57 bytes [05, 05, 20, 1B, 00, 49, 8D, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 000000014a200460 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 000000014a200450 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 000000014a200370 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 000000014a200470 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 000000014a2003e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 000000014a200320 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 000000014a2003b0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 000000014a200390 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 000000014a2002e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 000000014a2002d0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 000000014a200310 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 000000014a2003c0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 000000014a2003f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 000000014a200230 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 000000014a200480 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 000000014a2003a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 000000014a2002f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 000000014a200350 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 000000014a200290 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 000000014a2002b0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 000000014a2003d0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 000000014a200330 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 000000014a200410 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 000000014a200240 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 000000014a2001e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 000000014a200250 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 000000014a200490 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 000000014a2004a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 000000014a200300 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 000000014a200360 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 000000014a2002a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 000000014a2002c0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 000000014a200380 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 000000014a200340 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 000000014a200440 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 000000014a200260 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 000000014a200270 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 000000014a200400 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 000000014a2001f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 000000014a200210 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 000000014a200200 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 000000014a200420 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 000000014a200430 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 000000014a200220 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 000000014a200280 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 000000014a200460 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 000000014a200450 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 000000014a200370 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 000000014a200470 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 000000014a2003e0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 000000014a200320 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 000000014a2003b0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 000000014a200390 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 000000014a2002e0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 000000014a2002d0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 000000014a200310 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 000000014a2003c0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 000000014a2003f0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 000000014a200230 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 000000014a200480 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 000000014a2003a0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 000000014a2002f0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 000000014a200350 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 000000014a200290 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 000000014a2002b0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 000000014a2003d0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 000000014a200330 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 000000014a200410 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 000000014a200240 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 000000014a2001e0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 000000014a200250 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 000000014a200490 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 000000014a2004a0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 000000014a200300 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 000000014a200360 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 000000014a2002a0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 000000014a2002c0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 000000014a200380 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 000000014a200340 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 000000014a200440 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 000000014a200260 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 000000014a200270 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 000000014a200400 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 000000014a2001f0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 000000014a200210 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 000000014a200200 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 000000014a200420 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 000000014a200430 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 000000014a200220 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 000000014a200280 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\lsm.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 00000000773d0460 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 00000000773d0450 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 00000000773d0370 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 00000000773d0470 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000000773d03e0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 00000000773d0320 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000000773d03b0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 00000000773d0390 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000000773d02d0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 00000000773d0310 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000000773d03c0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 00000000773d0230 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 00000000773d0480 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000000773d03a0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000000773d02f0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 00000000773d0350 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 00000000773d0290 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000000773d02b0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000000773d03d0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 00000000773d0330 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 00000000773d0410 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 00000000773d0240 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000000773d01e0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 00000000773d0250 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 00000000773d0490 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000000773d04a0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 00000000773d0300 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 00000000773d0360 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000000773d02a0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000000773d02c0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 00000000773d0380 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 00000000773d0340 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 00000000773d0440 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 00000000773d0260 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 00000000773d0270 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 00000000773d0400 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 00000000773d0210 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 00000000773d0200 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 00000000773d0420 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 00000000773d0430 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 00000000773d0220 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 00000000773d0280 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 00000000773d0460 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 00000000773d0450 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 00000000773d0370 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 00000000773d0470 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000000773d03e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 00000000773d0320 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000000773d03b0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 00000000773d0390 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000000773d02d0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 00000000773d0310 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000000773d03c0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 00000000773d0230 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 00000000773d0480 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000000773d03a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000000773d02f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 00000000773d0350 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 00000000773d0290 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000000773d02b0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000000773d03d0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 00000000773d0330 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 00000000773d0410 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 00000000773d0240 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000000773d01e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 00000000773d0250 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 00000000773d0490 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000000773d04a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 00000000773d0300 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 00000000773d0360 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000000773d02a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000000773d02c0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 00000000773d0380 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 00000000773d0340 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 00000000773d0440 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 00000000773d0260 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 00000000773d0270 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 00000000773d0400 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 00000000773d0210 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 00000000773d0200 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 00000000773d0420 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 00000000773d0430 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 00000000773d0220 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\svchost.exe[260] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 00000000773d0280 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 0000000100070460 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 0000000100070450 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 0000000100070370 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 0000000100070470 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000001000703e0 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 0000000100070320 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000001000703b0 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 0000000100070390 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000001000702e0 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000001000702d0 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 0000000100070310 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000001000703c0 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000001000703f0 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 0000000100070230 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 0000000100070480 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000001000703a0 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000001000702f0 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 0000000100070350 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 0000000100070290 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000001000702b0 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000001000703d0 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 0000000100070330 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 0000000100070410 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 0000000100070240 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000001000701e0 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 0000000100070250 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 0000000100070490 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000001000704a0 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 0000000100070300 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 0000000100070360 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000001000702a0 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000001000702c0 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 0000000100070380 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 0000000100070340 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 0000000100070440 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 0000000100070260 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 0000000100070270 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 0000000100070400 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000001000701f0 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 0000000100070210 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 0000000100070200 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 0000000100070420 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 0000000100070430 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 0000000100070220 .text C:\Windows\Explorer.EXE[1524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 0000000100070280 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 00000000773d0460 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 00000000773d0450 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 00000000773d0370 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 00000000773d0470 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000000773d03e0 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 00000000773d0320 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000000773d03b0 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 00000000773d0390 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000000773d02e0 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000000773d02d0 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 00000000773d0310 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000000773d03c0 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000000773d03f0 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 00000000773d0230 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 00000000773d0480 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000000773d03a0 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000000773d02f0 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 00000000773d0350 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 00000000773d0290 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000000773d02b0 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000000773d03d0 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 00000000773d0330 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 00000000773d0410 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 00000000773d0240 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000000773d01e0 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 00000000773d0250 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 00000000773d0490 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000000773d04a0 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 00000000773d0300 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 00000000773d0360 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000000773d02a0 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000000773d02c0 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 00000000773d0380 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 00000000773d0340 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 00000000773d0440 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 00000000773d0260 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 00000000773d0270 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 00000000773d0400 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000000773d01f0 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 00000000773d0210 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 00000000773d0200 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 00000000773d0420 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 00000000773d0430 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 00000000773d0220 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[1688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 00000000773d0280 .text C:\Users\Natalia\AppData\Local\Facebook\Update\FacebookUpdate.exe[1700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076e51465 2 bytes [E5, 76] .text C:\Users\Natalia\AppData\Local\Facebook\Update\FacebookUpdate.exe[1700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076e514bb 2 bytes [E5, 76] .text ... * 2 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 00000000773d0280 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 0000000100070460 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 0000000100070370 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 0000000100070470 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 0000000100070320 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 0000000100070390 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 0000000100070310 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 0000000100070230 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 0000000100070480 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 0000000100070350 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 0000000100070290 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 0000000100070330 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 0000000100070250 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 0000000100070490 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 0000000100070420 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 0000000100070430 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 0000000100070280 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 00000000773d0460 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 00000000773d0450 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 00000000773d0370 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 00000000773d0470 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000000773d03e0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 00000000773d0320 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000000773d03b0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 00000000773d0390 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000000773d02e0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000000773d02d0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 00000000773d0310 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000000773d03c0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000000773d03f0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 00000000773d0230 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 00000000773d0480 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000000773d03a0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000000773d02f0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 00000000773d0350 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 00000000773d0290 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000000773d02b0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000000773d03d0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 00000000773d0330 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 00000000773d0410 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 00000000773d0240 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000000773d01e0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 00000000773d0250 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 00000000773d0490 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000000773d04a0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 00000000773d0300 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 00000000773d0360 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000000773d02a0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000000773d02c0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 00000000773d0380 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 00000000773d0340 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 00000000773d0440 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 00000000773d0260 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 00000000773d0270 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 00000000773d0400 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000000773d01f0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 00000000773d0210 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 00000000773d0200 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 00000000773d0420 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 00000000773d0430 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 00000000773d0220 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 00000000773d0280 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1640] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076e51465 2 bytes [E5, 76] .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe[1640] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076e514bb 2 bytes [E5, 76] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\avastui.exe[2232] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076e78769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076e51465 2 bytes [E5, 76] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076e514bb 2 bytes [E5, 76] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 0000000100070460 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 0000000100070450 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 0000000100070370 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 0000000100070470 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000001000703e0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 0000000100070320 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000001000703b0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 0000000100070390 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000001000702e0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000001000702d0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 0000000100070310 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000001000703c0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000001000703f0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 0000000100070230 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 0000000100070480 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000001000703a0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000001000702f0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 0000000100070350 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 0000000100070290 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000001000702b0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000001000703d0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 0000000100070330 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 0000000100070410 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 0000000100070240 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000001000701e0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 0000000100070250 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 0000000100070490 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000001000704a0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 0000000100070300 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 0000000100070360 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000001000702a0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000001000702c0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 0000000100070380 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 0000000100070340 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 0000000100070440 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 0000000100070260 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 0000000100070270 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 0000000100070400 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000001000701f0 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 0000000100070210 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 0000000100070200 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 0000000100070420 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 0000000100070430 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 0000000100070220 .text C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 0000000100070280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 00000000773d0460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 00000000773d0450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 00000000773d0370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 00000000773d0470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000000773d03e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 00000000773d0320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000000773d03b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 00000000773d0390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000000773d02e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000000773d02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 00000000773d0310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000000773d03c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000000773d03f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 00000000773d0230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 00000000773d0480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000000773d03a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000000773d02f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 00000000773d0350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 00000000773d0290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000000773d02b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000000773d03d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 00000000773d0330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 00000000773d0410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 00000000773d0240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000000773d01e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 00000000773d0250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 00000000773d0490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000000773d04a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 00000000773d0300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 00000000773d0360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000000773d02a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000000773d02c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 00000000773d0380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 00000000773d0340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 00000000773d0440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 00000000773d0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 00000000773d0270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 00000000773d0400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000000773d01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 00000000773d0210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 00000000773d0200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 00000000773d0420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 00000000773d0430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 00000000773d0220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 00000000773d0280 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076e51465 2 bytes [E5, 76] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076e514bb 2 bytes [E5, 76] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [1764] entry point in ".rdata" section 0000000074b271e6 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 00000000773d0460 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 00000000773d0450 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 00000000773d0370 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 00000000773d0470 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000000773d03e0 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 00000000773d0320 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000000773d03b0 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 00000000773d0390 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000000773d02d0 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 00000000773d0310 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000000773d03c0 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 00000000773d0230 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 00000000773d0480 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000000773d03a0 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000000773d02f0 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 00000000773d0350 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 00000000773d0290 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000000773d02b0 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000000773d03d0 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 00000000773d0330 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 00000000773d0410 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 00000000773d0240 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000000773d01e0 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 00000000773d0250 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 00000000773d0490 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000000773d04a0 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 00000000773d0300 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 00000000773d0360 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000000773d02a0 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000000773d02c0 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 00000000773d0380 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 00000000773d0340 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 00000000773d0440 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 00000000773d0260 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 00000000773d0270 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 00000000773d0400 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 00000000773d0210 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 00000000773d0200 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 00000000773d0420 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 00000000773d0430 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 00000000773d0220 .text C:\Windows\System32\svchost.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 00000000773d0280 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 00000000773d0460 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 00000000773d0450 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 00000000773d0370 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 00000000773d0470 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000000773d03e0 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 00000000773d0320 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000000773d03b0 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 00000000773d0390 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000000773d02d0 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 00000000773d0310 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000000773d03c0 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 00000000773d0230 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 00000000773d0480 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000000773d03a0 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000000773d02f0 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 00000000773d0350 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 00000000773d0290 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000000773d02b0 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000000773d03d0 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 00000000773d0330 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 00000000773d0410 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 00000000773d0240 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000000773d01e0 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 00000000773d0250 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 00000000773d0490 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000000773d04a0 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 00000000773d0300 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 00000000773d0360 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000000773d02a0 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000000773d02c0 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 00000000773d0380 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 00000000773d0340 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 00000000773d0440 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 00000000773d0260 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 00000000773d0270 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 00000000773d0400 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 00000000773d0210 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 00000000773d0200 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 00000000773d0420 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 00000000773d0430 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 00000000773d0220 .text C:\Windows\splwow64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 00000000773d0280 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077271360 5 bytes JMP 00000000773d0460 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772713b0 5 bytes JMP 00000000773d0450 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 5 bytes JMP 00000000773d0370 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077271560 5 bytes JMP 00000000773d0470 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077271570 5 bytes JMP 00000000773d03e0 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077271620 5 bytes JMP 00000000773d0320 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077271650 5 bytes JMP 00000000773d03b0 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077271670 5 bytes JMP 00000000773d0390 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772716b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077271730 5 bytes JMP 00000000773d02d0 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077271750 5 bytes JMP 00000000773d0310 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077271790 5 bytes JMP 00000000773d03c0 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772717e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077271940 5 bytes JMP 00000000773d0230 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077271b00 5 bytes JMP 00000000773d0480 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077271b30 5 bytes JMP 00000000773d03a0 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077271c10 5 bytes JMP 00000000773d02f0 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077271c20 5 bytes JMP 00000000773d0350 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077271c80 5 bytes JMP 00000000773d0290 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077271d10 5 bytes JMP 00000000773d02b0 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077271d30 5 bytes JMP 00000000773d03d0 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077271d40 5 bytes JMP 00000000773d0330 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077271db0 5 bytes JMP 00000000773d0410 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077271de0 5 bytes JMP 00000000773d0240 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772720a0 5 bytes JMP 00000000773d01e0 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077272160 5 bytes JMP 00000000773d0250 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077272190 5 bytes JMP 00000000773d0490 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772721a0 5 bytes JMP 00000000773d04a0 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772721d0 5 bytes JMP 00000000773d0300 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772721e0 5 bytes JMP 00000000773d0360 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077272240 5 bytes JMP 00000000773d02a0 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077272290 5 bytes JMP 00000000773d02c0 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772722c0 5 bytes JMP 00000000773d0380 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772722d0 5 bytes JMP 00000000773d0340 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772725c0 5 bytes JMP 00000000773d0440 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772727c0 5 bytes JMP 00000000773d0260 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772727d0 5 bytes JMP 00000000773d0270 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 5 bytes JMP 00000000773d0400 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772729a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772729b0 5 bytes JMP 00000000773d0210 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077272a20 5 bytes JMP 00000000773d0200 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077272a80 5 bytes JMP 00000000773d0420 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077272a90 5 bytes JMP 00000000773d0430 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077272aa0 5 bytes JMP 00000000773d0220 .text C:\Windows\System32\svchost.exe[2444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077272b80 5 bytes JMP 00000000773d0280 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffae2e834 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffae2e834 (not active ControlSet) ---- EOF - GMER 2.1 ----