GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-16 14:36:55 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000059 SAMSUNG_ rev.FH10 232,88GB Running: dcez7m78.exe; Driver: C:\Users\KRZYSZ~1\AppData\Local\Temp\pgddqpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0xffffffff885ff090} .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0xffffffff885fec90} .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 00000001001201d0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0xffffffff885fe290} .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0xffffffff885fe290} .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0xffffffff885fd690} .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 000000014a610450 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0xffffffffd2aef090} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 000000014a610440 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 000000014a610360 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 000000014a610460 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 000000014a6103d0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 000000014a610310 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0xffffffffd2aeec90} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 000000014a6103a0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 000000014a610380 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 000000014a6102d0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 000000014a6102c0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 000000014a610300 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 000000014a6103b0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 000000014a6103e0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 000000014a610220 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 000000014a610470 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 000000014a610390 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 000000014a6102e0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 000000014a610340 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 000000014a610280 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 000000014a6102a0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 000000014a6103c0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 000000014a610320 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 000000014a610400 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 000000014a610230 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 000000014a6101d0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 000000014a610240 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 000000014a610480 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0xffffffffd2aee290} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 000000014a610490 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0xffffffffd2aee290} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 000000014a6102f0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 000000014a610350 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 000000014a610290 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 000000014a6102b0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 000000014a610370 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 000000014a610330 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 000000014a610430 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 000000014a610250 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 000000014a610260 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 000000014a6103f0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 000000014a6101e0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 000000014a610200 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 000000014a6101f0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 000000014a610410 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 000000014a610420 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 000000014a610210 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 000000014a610270 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0xffffffffd2aed690} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\nvvsvc.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0xffffffff8854f090} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0xffffffff8854ec90} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0xffffffff8854e290} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0xffffffff8854e290} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0xffffffff8854d690} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\nvvsvc.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\Dwm.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000100070450 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0xffffffff8854f090} .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000100070440 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000100070360 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000100070460 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 00000001000703d0 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000100070310 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0xffffffff8854ec90} .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 00000001000703a0 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000100070380 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 00000001000702d0 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 00000001000702c0 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000100070300 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 00000001000703b0 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 00000001000703e0 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000100070220 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000100070470 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000100070390 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 00000001000702e0 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000100070340 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000100070280 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 00000001000702a0 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 00000001000703c0 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000100070320 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000100070400 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000100070230 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 00000001000701d0 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000100070240 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000100070480 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0xffffffff8854e290} .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000100070490 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0xffffffff8854e290} .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 00000001000702f0 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000100070350 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000100070290 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 00000001000702b0 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000100070370 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000100070330 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000100070430 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000100070250 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000100070260 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 00000001000703f0 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 00000001000701e0 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000100070200 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 00000001000701f0 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000100070410 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000100070420 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000100070210 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000100070270 .text C:\Windows\Explorer.EXE[332] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0xffffffff8854d690} .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\System32\svchost.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\SearchIndexer.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000077c80450 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000077c80480 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000077c80490 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 1 byte JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077b213c2 3 bytes {JMP 0xffffffff8854f090} .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0xffffffff8854ec90} .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 00000001000701d0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 1 byte JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077b221f2 3 bytes {JMP 0xffffffff8854e290} .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 1 byte JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077b22202 3 bytes {JMP 0xffffffff8854e290} .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0xffffffff8854d690} ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [2340:2596] 000007fef7bf9688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x49 0x03 0x08 0xA7 ... ---- EOF - GMER 2.1 ----