GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-01-30 10:23:43 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AZRX-00A8LB0 rev.01.01A01 465.76GB Running: gmer.exe; Driver: C:\Users\KAAM\AppData\Local\Temp\kxldqpoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!EngSetLastError + 608 fffff960000c5b20 8 bytes [6C, BC, CD, 03, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000f5600 7 bytes [00, 66, F3, FF, 41, 70, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000f5608 3 bytes [C0, 06, 02] .text ... * 107 .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 468 fffff960001bd8c8 6 bytes {JMP QWORD [RIP-0xc3976]} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 0000000149960450 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 0000000149960440 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0xffffffffd2722990} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 0000000149960360 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 0000000149960460 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000001499603d0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 0000000149960310 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000001499603a0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 0000000149960380 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000001499602d0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000001499602c0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0xffffffffd2722490} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 0000000149960300 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000001499603b0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000001499603e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 0000000149960220 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 0000000149960470 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 0000000149960390 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000001499602e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 0000000149960340 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 0000000149960280 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000001499602a0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0xffffffffd2721e90} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000001499603c0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0xffffffffd2721f90} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 0000000149960320 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 0000000149960400 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 0000000149960230 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000001499601d0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 0000000149960240 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 0000000149960480 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 0000000149960490 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000001499602f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 0000000149960350 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 0000000149960290 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000001499602b0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 0000000149960370 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 0000000149960330 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 0000000149960430 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 0000000149960250 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0xffffffffd2721390} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 0000000149960260 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0xffffffffd2721390} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000001499603f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000001499601e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 0000000149960200 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000001499601f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 0000000149960410 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0xffffffffd2721290} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 0000000149960420 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0xffffffffd2721290} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 0000000149960210 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 0000000149960270 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 0000000149960450 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 0000000149960440 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0xffffffffd2722990} .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 0000000149960360 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 0000000149960460 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000001499603d0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 0000000149960310 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000001499603a0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 0000000149960380 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000001499602d0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000001499602c0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0xffffffffd2722490} .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 0000000149960300 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000001499603b0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000001499603e0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 0000000149960220 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 0000000149960470 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 0000000149960390 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000001499602e0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 0000000149960340 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 0000000149960280 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000001499602a0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0xffffffffd2721e90} .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000001499603c0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0xffffffffd2721f90} .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 0000000149960320 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 0000000149960400 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 0000000149960230 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000001499601d0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 0000000149960240 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 0000000149960480 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 0000000149960490 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000001499602f0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 0000000149960350 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 0000000149960290 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000001499602b0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 0000000149960370 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 0000000149960330 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 0000000149960430 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 0000000149960250 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0xffffffffd2721390} .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 0000000149960260 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0xffffffffd2721390} .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000001499603f0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000001499601e0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 0000000149960200 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000001499601f0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 0000000149960410 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0xffffffffd2721290} .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 0000000149960420 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0xffffffffd2721290} .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 0000000149960210 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 0000000149960270 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 0000000100070440 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0xffffffff88e32990} .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0xffffffff88e32490} .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 0000000100070280 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000001000702a0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0xffffffff88e31e90} .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000001000703c0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0xffffffff88e31f90} .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 0000000100070250 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0xffffffff88e31390} .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 0000000100070260 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0xffffffff88e31390} .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 0000000100070410 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0xffffffff88e31290} .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 0000000100070420 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0xffffffff88e31290} .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 0000000100070440 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0xffffffff88e32990} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0xffffffff88e32490} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 0000000100070280 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000001000702a0 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0xffffffff88e31e90} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000001000703c0 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0xffffffff88e31f90} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 0000000100070250 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0xffffffff88e31390} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 0000000100070260 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0xffffffff88e31390} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 0000000100070410 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0xffffffff88e31290} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 0000000100070420 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0xffffffff88e31290} .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 0000000100070270 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\system32\winlogon.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\System32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\System32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0xffffffff88e32990} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0xffffffff88e32490} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0xffffffff88e31e90} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0xffffffff88e31f90} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0xffffffff88e31390} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0xffffffff88e31390} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0xffffffff88e31290} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0xffffffff88e31290} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 0000000100070270 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\system32\taskhost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\Explorer.EXE[1984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\SysWOW64\PnkBstrA.exe[2424] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 0000000074bd17fa 2 bytes CALL 74e211a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2424] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000074bd1860 2 bytes CALL 74e211a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2424] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000074bd1942 2 bytes JMP 750b7089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2424] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 0000000074bd194d 2 bytes JMP 750bcba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 0000000074bd17fa 2 bytes CALL 74e211a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000074bd1860 2 bytes CALL 74e211a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000074bd1942 2 bytes JMP 750b7089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 0000000074bd194d 2 bytes JMP 750bcba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075ca1401 2 bytes JMP 74e4b233 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075ca1419 2 bytes JMP 74e4b35e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075ca1431 2 bytes JMP 74ec9011 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000075ca144a 2 bytes CALL 74e248ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000075ca14dd 2 bytes JMP 74ec890a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000075ca14f5 2 bytes JMP 74ec8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000075ca150d 2 bytes JMP 74ec8800 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075ca1525 2 bytes JMP 74ec8bca C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000075ca153d 2 bytes JMP 74e3fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075ca1555 2 bytes JMP 74e46907 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000075ca156d 2 bytes JMP 74ec90c9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075ca1585 2 bytes JMP 74ec8c2a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000075ca159d 2 bytes JMP 74ec87c4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000075ca15b5 2 bytes JMP 74e3fd59 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000075ca15cd 2 bytes JMP 74e4b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000075ca16b2 2 bytes JMP 74ec8f8c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2484] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000075ca16bd 2 bytes JMP 74ec8759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2532] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075ca1401 2 bytes JMP 74e4b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2532] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075ca1419 2 bytes JMP 74e4b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2532] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075ca1431 2 bytes JMP 74ec9011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2532] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000075ca144a 2 bytes CALL 74e248ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2532] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000075ca14dd 2 bytes JMP 74ec890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2532] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000075ca14f5 2 bytes JMP 74ec8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2532] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000075ca150d 2 bytes JMP 74ec8800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2532] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075ca1525 2 bytes JMP 74ec8bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2532] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000075ca153d 2 bytes JMP 74e3fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2532] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075ca1555 2 bytes JMP 74e46907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2532] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000075ca156d 2 bytes JMP 74ec90c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2532] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075ca1585 2 bytes JMP 74ec8c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2532] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000075ca159d 2 bytes JMP 74ec87c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2532] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000075ca15b5 2 bytes JMP 74e3fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2532] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000075ca15cd 2 bytes JMP 74e4b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2532] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000075ca16b2 2 bytes JMP 74ec8f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2532] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000075ca16bd 2 bytes JMP 74ec8759 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\system32\GWX\GWX.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Users\KAAM\AppData\Local\mbot_be_014010221\upmbot_be_014010221.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075ca1401 2 bytes JMP 74e4b233 C:\Windows\syswow64\kernel32.dll .text C:\Users\KAAM\AppData\Local\mbot_be_014010221\upmbot_be_014010221.exe[2660] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075ca1419 2 bytes JMP 74e4b35e C:\Windows\syswow64\kernel32.dll .text C:\Users\KAAM\AppData\Local\mbot_be_014010221\upmbot_be_014010221.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075ca1431 2 bytes JMP 74ec9011 C:\Windows\syswow64\kernel32.dll .text C:\Users\KAAM\AppData\Local\mbot_be_014010221\upmbot_be_014010221.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075ca144a 2 bytes CALL 74e248ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\KAAM\AppData\Local\mbot_be_014010221\upmbot_be_014010221.exe[2660] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075ca14dd 2 bytes JMP 74ec890a C:\Windows\syswow64\kernel32.dll .text C:\Users\KAAM\AppData\Local\mbot_be_014010221\upmbot_be_014010221.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075ca14f5 2 bytes JMP 74ec8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Users\KAAM\AppData\Local\mbot_be_014010221\upmbot_be_014010221.exe[2660] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075ca150d 2 bytes JMP 74ec8800 C:\Windows\syswow64\kernel32.dll .text C:\Users\KAAM\AppData\Local\mbot_be_014010221\upmbot_be_014010221.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075ca1525 2 bytes JMP 74ec8bca C:\Windows\syswow64\kernel32.dll .text C:\Users\KAAM\AppData\Local\mbot_be_014010221\upmbot_be_014010221.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075ca153d 2 bytes JMP 74e3fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\KAAM\AppData\Local\mbot_be_014010221\upmbot_be_014010221.exe[2660] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075ca1555 2 bytes JMP 74e46907 C:\Windows\syswow64\kernel32.dll .text C:\Users\KAAM\AppData\Local\mbot_be_014010221\upmbot_be_014010221.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075ca156d 2 bytes JMP 74ec90c9 C:\Windows\syswow64\kernel32.dll .text C:\Users\KAAM\AppData\Local\mbot_be_014010221\upmbot_be_014010221.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075ca1585 2 bytes JMP 74ec8c2a C:\Windows\syswow64\kernel32.dll .text C:\Users\KAAM\AppData\Local\mbot_be_014010221\upmbot_be_014010221.exe[2660] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075ca159d 2 bytes JMP 74ec87c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\KAAM\AppData\Local\mbot_be_014010221\upmbot_be_014010221.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075ca15b5 2 bytes JMP 74e3fd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\KAAM\AppData\Local\mbot_be_014010221\upmbot_be_014010221.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075ca15cd 2 bytes JMP 74e4b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\KAAM\AppData\Local\mbot_be_014010221\upmbot_be_014010221.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075ca16b2 2 bytes JMP 74ec8f8c C:\Windows\syswow64\kernel32.dll .text C:\Users\KAAM\AppData\Local\mbot_be_014010221\upmbot_be_014010221.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075ca16bd 2 bytes JMP 74ec8759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Program Files\CCleaner\CCleaner64.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3048] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000074e28791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\mbot_be_014010221\mbot_be_014010221.exe[2268] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075ca1401 2 bytes JMP 74e4b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\mbot_be_014010221\mbot_be_014010221.exe[2268] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075ca1419 2 bytes JMP 74e4b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\mbot_be_014010221\mbot_be_014010221.exe[2268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075ca1431 2 bytes JMP 74ec9011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\mbot_be_014010221\mbot_be_014010221.exe[2268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075ca144a 2 bytes CALL 74e248ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\mbot_be_014010221\mbot_be_014010221.exe[2268] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075ca14dd 2 bytes JMP 74ec890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\mbot_be_014010221\mbot_be_014010221.exe[2268] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075ca14f5 2 bytes JMP 74ec8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\mbot_be_014010221\mbot_be_014010221.exe[2268] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075ca150d 2 bytes JMP 74ec8800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\mbot_be_014010221\mbot_be_014010221.exe[2268] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075ca1525 2 bytes JMP 74ec8bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\mbot_be_014010221\mbot_be_014010221.exe[2268] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075ca153d 2 bytes JMP 74e3fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\mbot_be_014010221\mbot_be_014010221.exe[2268] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075ca1555 2 bytes JMP 74e46907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\mbot_be_014010221\mbot_be_014010221.exe[2268] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075ca156d 2 bytes JMP 74ec90c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\mbot_be_014010221\mbot_be_014010221.exe[2268] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075ca1585 2 bytes JMP 74ec8c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\mbot_be_014010221\mbot_be_014010221.exe[2268] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075ca159d 2 bytes JMP 74ec87c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\mbot_be_014010221\mbot_be_014010221.exe[2268] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075ca15b5 2 bytes JMP 74e3fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\mbot_be_014010221\mbot_be_014010221.exe[2268] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075ca15cd 2 bytes JMP 74e4b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\mbot_be_014010221\mbot_be_014010221.exe[2268] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075ca16b2 2 bytes JMP 74ec8f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\mbot_be_014010221\mbot_be_014010221.exe[2268] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075ca16bd 2 bytes JMP 74ec8759 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Program Files\CCleaner\CCleaner64.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0xffffffff88e32990} .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0xffffffff88e32490} .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0xffffffff88e31e90} .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0xffffffff88e31f90} .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0xffffffff88e31390} .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0xffffffff88e31390} .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0xffffffff88e31290} .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0xffffffff88e31290} .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[4824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 0000000100070270 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\system32\wbem\wmiprvse.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text C:\Windows\System32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007723da60 5 bytes JMP 00000000773a0450 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007723dab0 1 byte JMP 00000000773a0440 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007723dab2 3 bytes {JMP 0x162990} .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007723dc10 5 bytes JMP 00000000773a0360 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007723dc60 5 bytes JMP 00000000773a0460 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007723dc70 5 bytes JMP 00000000773a03d0 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007723dd20 5 bytes JMP 00000000773a0310 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007723dd50 5 bytes JMP 00000000773a03a0 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007723dd70 5 bytes JMP 00000000773a0380 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007723ddb0 5 bytes JMP 00000000773a02d0 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007723de30 1 byte JMP 00000000773a02c0 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007723de32 3 bytes {JMP 0x162490} .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007723de50 5 bytes JMP 00000000773a0300 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007723de90 5 bytes JMP 00000000773a03b0 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007723dee0 5 bytes JMP 00000000773a03e0 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007723e040 5 bytes JMP 00000000773a0220 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007723e200 5 bytes JMP 00000000773a0470 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007723e230 5 bytes JMP 00000000773a0390 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007723e310 5 bytes JMP 00000000773a02e0 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007723e320 5 bytes JMP 00000000773a0340 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007723e380 5 bytes JMP 00000000773a0280 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007723e410 1 byte JMP 00000000773a02a0 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007723e412 3 bytes {JMP 0x161e90} .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007723e430 1 byte JMP 00000000773a03c0 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007723e432 3 bytes {JMP 0x161f90} .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007723e440 5 bytes JMP 00000000773a0320 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007723e4b0 5 bytes JMP 00000000773a0400 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007723e4e0 5 bytes JMP 00000000773a0230 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007723e7a0 5 bytes JMP 00000000773a01d0 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007723e860 5 bytes JMP 00000000773a0240 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007723e890 5 bytes JMP 00000000773a0480 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007723e8a0 5 bytes JMP 00000000773a0490 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007723e8d0 5 bytes JMP 00000000773a02f0 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007723e8e0 5 bytes JMP 00000000773a0350 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007723e940 5 bytes JMP 00000000773a0290 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007723e990 5 bytes JMP 00000000773a02b0 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007723e9c0 5 bytes JMP 00000000773a0370 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007723e9d0 5 bytes JMP 00000000773a0330 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007723ecc0 5 bytes JMP 00000000773a0430 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007723eec0 1 byte JMP 00000000773a0250 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007723eec2 3 bytes {JMP 0x161390} .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007723eed0 1 byte JMP 00000000773a0260 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007723eed2 3 bytes {JMP 0x161390} .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007723eee0 5 bytes JMP 00000000773a03f0 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007723f0a0 5 bytes JMP 00000000773a01e0 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007723f0b0 5 bytes JMP 00000000773a0200 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007723f120 5 bytes JMP 00000000773a01f0 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007723f180 1 byte JMP 00000000773a0410 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007723f182 3 bytes {JMP 0x161290} .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007723f190 1 byte JMP 00000000773a0420 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007723f192 3 bytes {JMP 0x161290} .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007723f1a0 5 bytes JMP 00000000773a0210 .text E:\FRST\FRST64.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007723f280 5 bytes JMP 00000000773a0270 ---- User IAT/EAT - GMER 2.1 ---- IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef4c8741c] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef4c85f10] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef4c85674] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef4c85e2c] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef4c87f48] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef4c86a38] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef4c86ee8] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef4c87b58] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef4c87ea0] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef4c878b0] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef4c84fb4] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef4c85d38] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3476] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef4c87584] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3DAAE528-8698-4903-B32C-99DA35EAA6F8}@LeaseObtainedTime 1454142221 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3DAAE528-8698-4903-B32C-99DA35EAA6F8}@T1 1454142348 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3DAAE528-8698-4903-B32C-99DA35EAA6F8}@T2 1454142444 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3DAAE528-8698-4903-B32C-99DA35EAA6F8}@LeaseTerminatesTime 1454142476 ---- EOF - GMER 2.1 ----