GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-04 03:41:47 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST950032 rev.0003 465,76GB Running: pp6brxz2.exe; Driver: C:\Users\SCHLEP~1\AppData\Local\Temp\pxldapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000100040450 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000100040440 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0xffffffff88d72990} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000100040360 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000100040460 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000001000403d0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000100040310 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000001000403a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000100040380 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000001000402d0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000001000402c0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0xffffffff88d72490} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000100040300 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000001000403b0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000001000403e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000100040220 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000100040470 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000100040390 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000001000402e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000100040340 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000100040280 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000001000402a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0xffffffff88d71e90} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000001000403c0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0xffffffff88d71f90} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000100040320 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000100040400 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000100040230 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000001000401d0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000100040240 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000100040480 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000100040490 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000001000402f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000100040350 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000100040290 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000001000402b0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000100040370 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000100040330 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000100040430 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000100040250 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0xffffffff88d71390} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000100040260 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0xffffffff88d71390} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000001000403f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000001000401e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000100040200 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000001000401f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000100040410 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0xffffffff88d71290} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000100040420 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0xffffffff88d71290} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000100040210 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000100040270 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000149cc0450 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000149cc0440 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0xffffffffd29f2990} .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000149cc0360 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000149cc0460 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 0000000149cc03d0 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000149cc0310 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 0000000149cc03a0 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000149cc0380 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 0000000149cc02d0 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 0000000149cc02c0 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0xffffffffd29f2490} .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000149cc0300 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 0000000149cc03b0 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 0000000149cc03e0 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000149cc0220 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000149cc0470 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000149cc0390 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 0000000149cc02e0 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000149cc0340 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000149cc0280 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 0000000149cc02a0 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0xffffffffd29f1e90} .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 0000000149cc03c0 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0xffffffffd29f1f90} .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000149cc0320 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000149cc0400 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000149cc0230 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 0000000149cc01d0 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000149cc0240 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000149cc0480 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000149cc0490 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 0000000149cc02f0 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000149cc0350 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000149cc0290 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 0000000149cc02b0 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000149cc0370 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000149cc0330 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000149cc0430 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000149cc0250 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0xffffffffd29f1390} .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000149cc0260 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0xffffffffd29f1390} .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 0000000149cc03f0 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 0000000149cc01e0 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000149cc0200 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 0000000149cc01f0 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000149cc0410 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0xffffffffd29f1290} .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000149cc0420 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0xffffffffd29f1290} .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000149cc0210 .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000149cc0270 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\System32\svchost.exe[276] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000100070440 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0xffffffff88da2990} .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000100070360 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000100070310 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000100070380 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0xffffffff88da2490} .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000100070300 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000100070220 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000100070470 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000100070390 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000100070340 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000100070280 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000001000702a0 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0xffffffff88da1e90} .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000001000703c0 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0xffffffff88da1f90} .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000100070320 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000100070240 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000100070480 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000100070290 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000100070250 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0xffffffff88da1390} .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000100070260 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0xffffffff88da1390} .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000100070410 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0xffffffff88da1290} .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000100070420 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0xffffffff88da1290} .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\WLANExt.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000100070270 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\System32\spoolsv.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\system32\svchost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\system32\Dwm.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000100070450 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000100070440 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0xffffffff88da2990} .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000100070360 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000100070460 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000001000703d0 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000100070310 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000001000703a0 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000100070380 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000001000702c0 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0xffffffff88da2490} .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000100070300 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000001000703b0 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000001000703e0 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000100070220 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000100070470 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000100070390 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000001000702e0 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000100070340 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000100070280 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000001000702a0 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0xffffffff88da1e90} .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000001000703c0 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0xffffffff88da1f90} .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000100070320 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000100070400 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000100070230 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000100070240 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000100070480 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000100070490 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000100070350 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000100070290 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000001000702b0 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000100070370 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000100070330 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000100070430 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000100070250 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0xffffffff88da1390} .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000100070260 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0xffffffff88da1390} .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000001000703f0 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000100070200 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000001000701f0 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000100070410 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0xffffffff88da1290} .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000100070420 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0xffffffff88da1290} .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000100070210 .text C:\Windows\Explorer.EXE[1996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000100070270 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000100070450 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000100070440 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0xffffffff88da2990} .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000100070360 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000100070460 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000100070310 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000100070380 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000001000702c0 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0xffffffff88da2490} .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000100070300 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000100070220 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000100070470 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000100070390 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000100070340 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000100070280 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000001000702a0 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0xffffffff88da1e90} .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000001000703c0 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0xffffffff88da1f90} .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000100070320 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000100070230 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000100070240 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000100070480 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000100070350 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000100070290 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000100070370 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000100070330 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000100070250 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0xffffffff88da1390} .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000100070260 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0xffffffff88da1390} .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000100070200 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000100070410 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0xffffffff88da1290} .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000100070420 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0xffffffff88da1290} .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\rundll32.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000100070270 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3056] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007599d2b4 5 bytes JMP 0000000171bb1950 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3056] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007599d4ee 5 bytes JMP 0000000171bb19d0 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefef489d0 8 bytes JMP 000007fff59a0148 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefef4be40 8 bytes JMP 000007fff59a0110 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\system32\d3d9.dll!Direct3DCreate9 000007fef59e96b0 6 bytes JMP 000007fff59a00d8 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\system32\dxgi.dll!DXGID3D10CreateDevice 000007fef7c3c638 5 bytes JMP 000007fff7c10148 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef7c3dc88 5 bytes JMP 000007fff7c100d8 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef7c3de10 5 bytes JMP 000007fff7c10110 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\system32\d3d10.dll!D3D10CreateDevice 00000000024eafcc 9 bytes JMP 00000001024900d8 .text C:\Windows\System32\hkcmd.exe[1288] C:\Windows\System32\d3d11.dll!D3D11CreateDevice 000007fef7870090 7 bytes JMP 000007fef7c10180 .text C:\Windows\System32\igfxpers.exe[1560] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefef489d0 8 bytes JMP 000007fff59a0148 .text C:\Windows\System32\igfxpers.exe[1560] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefef4be40 8 bytes JMP 000007fff59a0110 .text C:\Windows\System32\igfxpers.exe[1560] C:\Windows\system32\d3d9.dll!Direct3DCreate9 000007fef59e96b0 6 bytes JMP 000007fff59a00d8 .text C:\Windows\System32\igfxpers.exe[1560] C:\Windows\system32\dxgi.dll!DXGID3D10CreateDevice 000007fef7c3c638 5 bytes JMP 000007fff7c10148 .text C:\Windows\System32\igfxpers.exe[1560] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef7c3dc88 5 bytes JMP 000007fff7c100d8 .text C:\Windows\System32\igfxpers.exe[1560] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef7c3de10 5 bytes JMP 000007fff7c10110 .text C:\Windows\System32\igfxpers.exe[1560] C:\Windows\system32\d3d10.dll!D3D10CreateDevice 000000000213afcc 9 bytes JMP 0000000101fe00d8 .text C:\Windows\System32\igfxpers.exe[1560] C:\Windows\System32\d3d11.dll!D3D11CreateDevice 000007fef7870090 7 bytes JMP 000007fef7c10180 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefef489d0 8 bytes JMP 000007fff59a0148 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefef4be40 8 bytes JMP 000007fff59a0110 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\system32\d3d9.dll!Direct3DCreate9 000007fef59e96b0 6 bytes JMP 000007fff59a00d8 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\system32\dxgi.dll!DXGID3D10CreateDevice 000007fef7c3c638 5 bytes JMP 000007fff7c10148 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef7c3dc88 5 bytes JMP 000007fff7c100d8 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef7c3de10 5 bytes JMP 000007fff7c10110 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\system32\d3d10.dll!D3D10CreateDevice 000000000239afcc 9 bytes JMP 00000001023400d8 .text C:\Windows\system32\igfxsrvc.exe[2284] C:\Windows\system32\d3d11.dll!D3D11CreateDevice 000007fef7870090 7 bytes JMP 000007fef7c10180 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefef489d0 8 bytes JMP 000007fff59a0148 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefef4be40 8 bytes JMP 000007fff59a0110 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\system32\d3d9.dll!Direct3DCreate9 000007fef59e96b0 6 bytes JMP 000007fff59a00d8 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\system32\dxgi.dll!DXGID3D10CreateDevice 000007fef7c3c638 5 bytes JMP 000007fff7c10148 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef7c3dc88 5 bytes JMP 000007fff7c100d8 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef7c3de10 5 bytes JMP 000007fff7c10110 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\system32\d3d10.dll!D3D10CreateDevice 000000000257afcc 9 bytes JMP 00000001025200d8 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[2808] C:\Windows\system32\d3d11.dll!D3D11CreateDevice 000007fef7870090 7 bytes JMP 000007fef7c10180 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3160] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007599d2b4 5 bytes JMP 0000000171bb1950 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3160] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007599d4ee 5 bytes JMP 0000000171bb19d0 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000754e8769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007599d2b4 5 bytes JMP 0000000171bb1950 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007599d4ee 5 bytes JMP 0000000171bb19d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075291401 2 bytes JMP 7550b20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075291419 2 bytes JMP 7550b336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075291431 2 bytes JMP 75588f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007529144a 2 bytes CALL 754e4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752914dd 2 bytes JMP 75588832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752914f5 2 bytes JMP 75588a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007529150d 2 bytes JMP 75588728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075291525 2 bytes JMP 75588af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007529153d 2 bytes JMP 754ffc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075291555 2 bytes JMP 755068df C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007529156d 2 bytes JMP 75588ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075291585 2 bytes JMP 75588b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007529159d 2 bytes JMP 755886ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752915b5 2 bytes JMP 754ffd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752915cd 2 bytes JMP 7550b2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752916b2 2 bytes JMP 75588eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752916bd 2 bytes JMP 75588681 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\system32\svchost.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\System32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Windows\system32\wbem\unsecapp.exe[2204] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefef489d0 8 bytes JMP 000007fff59a0148 .text C:\Windows\system32\wbem\unsecapp.exe[2204] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefef4be40 8 bytes JMP 000007fff59a0110 .text C:\Windows\system32\wbem\unsecapp.exe[2204] C:\Windows\system32\d3d9.dll!Direct3DCreate9 000007fef59e96b0 6 bytes JMP 000007fff59a00d8 .text C:\Windows\system32\wbem\unsecapp.exe[2204] C:\Windows\system32\dxgi.dll!DXGID3D10CreateDevice 000007fef7c3c638 5 bytes JMP 000007fff7c10148 .text C:\Windows\system32\wbem\unsecapp.exe[2204] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef7c3dc88 5 bytes JMP 000007fff7c100d8 .text C:\Windows\system32\wbem\unsecapp.exe[2204] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef7c3de10 5 bytes JMP 000007fff7c10110 .text C:\Windows\system32\wbem\unsecapp.exe[2204] C:\Windows\system32\d3d10.dll!D3D10CreateDevice 00000000024fafcc 9 bytes JMP 00000001024a00d8 .text C:\Windows\system32\wbem\unsecapp.exe[2204] C:\Windows\system32\d3d11.dll!D3D11CreateDevice 000007fef7870090 7 bytes JMP 000007fef7c10180 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772cda60 5 bytes JMP 0000000077430450 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772cdab0 1 byte JMP 0000000077430440 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000772cdab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772cdc10 5 bytes JMP 0000000077430360 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772cdc60 5 bytes JMP 0000000077430460 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772cdc70 5 bytes JMP 00000000774303d0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772cdd20 5 bytes JMP 0000000077430310 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772cdd50 5 bytes JMP 00000000774303a0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000772cdd70 5 bytes JMP 0000000077430380 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772cddb0 5 bytes JMP 00000000774302d0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772cde30 1 byte JMP 00000000774302c0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000772cde32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772cde50 5 bytes JMP 0000000077430300 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772cde90 5 bytes JMP 00000000774303b0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772cdee0 5 bytes JMP 00000000774303e0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772ce040 5 bytes JMP 0000000077430220 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ce200 5 bytes JMP 0000000077430470 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772ce230 5 bytes JMP 0000000077430390 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772ce310 5 bytes JMP 00000000774302e0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772ce320 5 bytes JMP 0000000077430340 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772ce380 5 bytes JMP 0000000077430280 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772ce410 1 byte JMP 00000000774302a0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000772ce412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772ce430 1 byte JMP 00000000774303c0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000772ce432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772ce440 5 bytes JMP 0000000077430320 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772ce4b0 5 bytes JMP 0000000077430400 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772ce4e0 5 bytes JMP 0000000077430230 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772ce7a0 5 bytes JMP 00000000774301d0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772ce860 5 bytes JMP 0000000077430240 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772ce890 5 bytes JMP 0000000077430480 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772ce8a0 5 bytes JMP 0000000077430490 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772ce8d0 5 bytes JMP 00000000774302f0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772ce8e0 5 bytes JMP 0000000077430350 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772ce940 5 bytes JMP 0000000077430290 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772ce990 5 bytes JMP 00000000774302b0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772ce9c0 5 bytes JMP 0000000077430370 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772ce9d0 5 bytes JMP 0000000077430330 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772cecc0 5 bytes JMP 0000000077430430 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772ceec0 1 byte JMP 0000000077430250 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000772ceec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772ceed0 1 byte JMP 0000000077430260 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000772ceed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772ceee0 5 bytes JMP 00000000774303f0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772cf0a0 5 bytes JMP 00000000774301e0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772cf0b0 5 bytes JMP 0000000077430200 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772cf120 5 bytes JMP 00000000774301f0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772cf180 1 byte JMP 0000000077430410 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 00000000772cf182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772cf190 1 byte JMP 0000000077430420 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 00000000772cf192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772cf1a0 5 bytes JMP 0000000077430210 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772cf280 5 bytes JMP 0000000077430270 .text C:\Users\Schleppel\Desktop\pp6brxz2.exe[6116] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007599d2b4 5 bytes JMP 0000000171bb1950 .text C:\Users\Schleppel\Desktop\pp6brxz2.exe[6116] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007599d4ee 5 bytes JMP 0000000171bb19d0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dd97704 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dd97704@d4e8b22156c9 0xE5 0x1D 0x69 0x99 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dd97704@28987be47b66 0x38 0x83 0x61 0xA3 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dd97704 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dd97704@d4e8b22156c9 0xE5 0x1D 0x69 0x99 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dd97704@28987be47b66 0x38 0x83 0x61 0xA3 ... ---- EOF - GMER 2.1 ----