GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-17 18:17:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK3265GSXN rev.GH101M 298,09GB Running: z4l1rkmq.exe; Driver: C:\Users\Ola\AppData\Local\Temp\pwliqpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 0000000149e80450 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 0000000149e80440 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0xffffffffd2f42990} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 0000000149e80360 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 0000000149e80460 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 0000000149e803d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 0000000149e80310 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 0000000149e803a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 0000000149e80380 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 0000000149e802d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 0000000149e802c0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0xffffffffd2f42490} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 0000000149e80300 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 0000000149e803b0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 0000000149e803e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 0000000149e80220 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 0000000149e80470 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 0000000149e80390 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 0000000149e802e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 0000000149e80340 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 0000000149e80280 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 0000000149e802a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0xffffffffd2f41e90} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 0000000149e803c0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0xffffffffd2f41f90} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 0000000149e80320 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 0000000149e80400 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 0000000149e80230 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 0000000149e801d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 0000000149e80240 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 0000000149e80480 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 0000000149e80490 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 0000000149e802f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 0000000149e80350 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 0000000149e80290 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 0000000149e802b0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 0000000149e80370 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 0000000149e80330 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 0000000149e80430 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 0000000149e80250 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0xffffffffd2f41390} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 0000000149e80260 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0xffffffffd2f41390} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 0000000149e803f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 0000000149e801e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 0000000149e80200 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 0000000149e801f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 0000000149e80410 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0xffffffffd2f41290} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 0000000149e80420 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0xffffffffd2f41290} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 0000000149e80210 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 0000000149e80270 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\system32\wininit.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 0000000149e80450 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 0000000149e80440 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0xffffffffd2f42990} .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 0000000149e80360 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 0000000149e80460 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 0000000149e803d0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 0000000149e80310 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 0000000149e803a0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 0000000149e80380 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 0000000149e802d0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 0000000149e802c0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0xffffffffd2f42490} .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 0000000149e80300 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 0000000149e803b0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 0000000149e803e0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 0000000149e80220 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 0000000149e80470 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 0000000149e80390 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 0000000149e802e0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 0000000149e80340 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 0000000149e80280 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 0000000149e802a0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0xffffffffd2f41e90} .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 0000000149e803c0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0xffffffffd2f41f90} .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 0000000149e80320 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 0000000149e80400 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 0000000149e80230 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 0000000149e801d0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 0000000149e80240 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 0000000149e80480 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 0000000149e80490 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 0000000149e802f0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 0000000149e80350 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 0000000149e80290 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 0000000149e802b0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 0000000149e80370 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 0000000149e80330 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 0000000149e80430 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 0000000149e80250 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0xffffffffd2f41390} .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 0000000149e80260 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0xffffffffd2f41390} .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 0000000149e803f0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 0000000149e801e0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 0000000149e80200 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 0000000149e801f0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 0000000149e80410 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0xffffffffd2f41290} .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 0000000149e80420 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0xffffffffd2f41290} .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 0000000149e80210 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 0000000149e80270 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 0000000100070440 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0xffffffff89132990} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 0000000100070360 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 0000000100070310 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 0000000100070380 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0xffffffff89132490} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 0000000100070300 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 0000000100070220 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 0000000100070470 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 0000000100070390 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 0000000100070340 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 0000000100070280 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000001000702a0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0xffffffff89131e90} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000001000703c0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0xffffffff89131f90} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 0000000100070320 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 0000000100070240 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 0000000100070480 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 0000000100070290 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 0000000100070250 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0xffffffff89131390} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 0000000100070260 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0xffffffff89131390} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 0000000100070410 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0xffffffff89131290} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 0000000100070420 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0xffffffff89131290} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 0000000100070440 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0xffffffff89132990} .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0xffffffff89132490} .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 0000000100070280 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000001000702a0 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0xffffffff89131e90} .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000001000703c0 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0xffffffff89131f90} .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 0000000100070250 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0xffffffff89131390} .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 0000000100070260 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0xffffffff89131390} .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 0000000100070410 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0xffffffff89131290} .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 0000000100070420 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0xffffffff89131290} .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsass.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0xffffffff89132990} .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0xffffffff89132490} .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0xffffffff89131e90} .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0xffffffff89131f90} .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0xffffffff89131390} .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0xffffffff89131390} .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0xffffffff89131290} .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0xffffffff89131290} .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\system32\AUDIODG.EXE[412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0xffffffff89132990} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0xffffffff89132490} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0xffffffff89131e90} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0xffffffff89131f90} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0xffffffff89131390} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0xffffffff89131390} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0xffffffff89131290} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0xffffffff89131290} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 0000000100070270 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\system32\Dwm.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\system32\taskhost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0xffffffff89132990} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0xffffffff89132490} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0xffffffff89131e90} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0xffffffff89131f90} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0xffffffff89131390} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0xffffffff89131390} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0xffffffff89131290} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0xffffffff89131290} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 0000000100070270 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\System32\igfxtray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\System32\hkcmd.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\System32\igfxpers.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\System32\svchost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Program Files (x86)\WordFly_1.10.0.28\Service\wfsrvc.exe[2396] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074ab1401 2 bytes JMP 7525b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WordFly_1.10.0.28\Service\wfsrvc.exe[2396] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074ab1419 2 bytes JMP 7525b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WordFly_1.10.0.28\Service\wfsrvc.exe[2396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074ab1431 2 bytes JMP 752d8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WordFly_1.10.0.28\Service\wfsrvc.exe[2396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074ab144a 2 bytes CALL 7523489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\WordFly_1.10.0.28\Service\wfsrvc.exe[2396] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074ab14dd 2 bytes JMP 752d88c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WordFly_1.10.0.28\Service\wfsrvc.exe[2396] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074ab14f5 2 bytes JMP 752d8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WordFly_1.10.0.28\Service\wfsrvc.exe[2396] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074ab150d 2 bytes JMP 752d87ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WordFly_1.10.0.28\Service\wfsrvc.exe[2396] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074ab1525 2 bytes JMP 752d8b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WordFly_1.10.0.28\Service\wfsrvc.exe[2396] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074ab153d 2 bytes JMP 7524fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WordFly_1.10.0.28\Service\wfsrvc.exe[2396] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074ab1555 2 bytes JMP 752568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WordFly_1.10.0.28\Service\wfsrvc.exe[2396] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074ab156d 2 bytes JMP 752d9089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WordFly_1.10.0.28\Service\wfsrvc.exe[2396] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074ab1585 2 bytes JMP 752d8bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WordFly_1.10.0.28\Service\wfsrvc.exe[2396] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074ab159d 2 bytes JMP 752d877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WordFly_1.10.0.28\Service\wfsrvc.exe[2396] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074ab15b5 2 bytes JMP 7524fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WordFly_1.10.0.28\Service\wfsrvc.exe[2396] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074ab15cd 2 bytes JMP 7525b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WordFly_1.10.0.28\Service\wfsrvc.exe[2396] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074ab16b2 2 bytes JMP 752d8f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WordFly_1.10.0.28\Service\wfsrvc.exe[2396] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074ab16bd 2 bytes JMP 752d8713 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\system32\SearchIndexer.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\system32\wbem\wmiprvse.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Program Files\AVAST Software\Avast\avastui.exe[2276] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075238781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 00000000770a0450 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 00000000770a0440 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 00000000770a0360 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 00000000770a0460 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000000770a03d0 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 00000000770a0310 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000000770a03a0 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 00000000770a0380 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000000770a02d0 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000000770a02c0 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 00000000770a0300 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000000770a03b0 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000000770a03e0 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 00000000770a0220 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 00000000770a0470 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 00000000770a0390 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000000770a02e0 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 00000000770a0340 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 00000000770a0280 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000000770a02a0 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000000770a03c0 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 00000000770a0320 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 00000000770a0400 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 00000000770a0230 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000000770a01d0 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 00000000770a0240 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 00000000770a0480 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 00000000770a0490 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000000770a02f0 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 00000000770a0350 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 00000000770a0290 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000000770a02b0 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 00000000770a0370 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 00000000770a0330 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 00000000770a0430 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 00000000770a0250 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 00000000770a0260 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000000770a03f0 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000000770a01e0 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 00000000770a0200 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000000770a01f0 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 00000000770a0410 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 00000000770a0420 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 00000000770a0210 .text C:\Windows\System32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 00000000770a0270 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f3da60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f3dab0 1 byte JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076f3dab2 3 bytes {JMP 0xffffffff89132990} .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f3dc10 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f3dc60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f3dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f3dd20 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f3dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f3dd70 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f3ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f3de30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076f3de32 3 bytes {JMP 0xffffffff89132490} .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f3de50 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f3de90 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f3dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f3e040 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f3e200 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f3e230 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f3e310 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f3e320 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f3e380 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f3e410 1 byte JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076f3e412 3 bytes {JMP 0xffffffff89131e90} .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f3e430 1 byte JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076f3e432 3 bytes {JMP 0xffffffff89131f90} .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f3e440 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f3e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f3e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f3e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f3e860 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f3e890 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f3e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f3e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f3e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f3e940 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f3e990 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f3e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f3e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f3ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f3eec0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076f3eec2 3 bytes {JMP 0xffffffff89131390} .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f3eed0 1 byte JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076f3eed2 3 bytes {JMP 0xffffffff89131390} .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f3eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f3f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f3f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f3f120 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f3f180 1 byte JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f3f182 3 bytes {JMP 0xffffffff89131290} .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f3f190 1 byte JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076f3f192 3 bytes {JMP 0xffffffff89131290} .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f3f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f3f280 5 bytes JMP 0000000100070270 ---- EOF - GMER 2.1 ----