GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-05 17:05:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-9 WDC_WD2500JB-00REA0 rev.20.00K20 232,89GB Running: gmer.exe; Driver: C:\Users\kaczka2\AppData\Local\Temp\uwldqpow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 000000004a110480 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 000000004a110470 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 000000004a110360 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 000000004a110490 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 000000004a1103d0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 000000004a110310 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0xffffffffd32eec90} .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 000000004a1103a0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 000000004a110380 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 000000004a1102d0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 000000004a1102c0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 000000004a110300 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 000000004a1103b0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 000000004a110440 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 000000004a1103e0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 000000004a110220 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 000000004a1104a0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 000000004a110390 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 000000004a1102e0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 000000004a110340 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 000000004a110280 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 000000004a1102a0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 000000004a1103c0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 000000004a110320 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 000000004a110410 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 000000004a110230 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 000000004a1103f0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 000000004a1101d0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 000000004a110240 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 000000004a1104b0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 000000004a1104c0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 000000004a1102f0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 000000004a110350 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 000000004a110290 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 000000004a1102b0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 000000004a110370 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 000000004a110330 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 000000004a110460 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 000000004a110420 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 000000004a110250 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 000000004a110260 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 000000004a110400 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 000000004a1101e0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 000000004a110200 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 000000004a1101f0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 000000004a110430 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 000000004a110450 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 000000004a110210 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 000000004a110270 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0xffffffffd32ed690} .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Windows\system32\wininit.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000000120480 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000000120470 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000000120360 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000000120490 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 00000000001203d0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000000120310 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0xffffffff892fec90} .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 00000000001203a0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000000120380 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 00000000001202d0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 00000000001202c0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000000120300 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 00000000001203b0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000000120440 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 00000000001203e0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000000120220 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 00000000001204a0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000000120390 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 00000000001202e0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000000120340 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000000120280 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 00000000001202a0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 00000000001203c0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000000120320 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000000120410 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000000120230 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 00000000001203f0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 00000000001201d0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000000120240 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 00000000001204b0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 00000000001204c0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 00000000001202f0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000000120350 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000000120290 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 00000000001202b0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000000120370 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000000120330 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000000120460 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000000120420 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000000120250 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000000120260 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000000120400 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 00000000001201e0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000000120200 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 00000000001201f0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000000120430 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000000120450 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000000120210 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000000120270 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0xffffffff892fd690} .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Windows\system32\services.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Windows\system32\lsm.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0xffffffff8924ec90} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0xffffffff8924d690} .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Windows\system32\taskhost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Windows\system32\Dwm.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Program Files\AMD\CNext\CNext\cnext.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1692] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000752487c9 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Windows\system32\taskmgr.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} .text C:\Program Files\Firefox Developer Edition\firefox.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076df3ae0 5 bytes JMP 000000000045075c .text C:\Program Files\Firefox Developer Edition\firefox.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076df7a90 5 bytes JMP 00000000004503a4 .text C:\Program Files\Firefox Developer Edition\firefox.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000076e21370 13 bytes {MOV R11, 0x7fee3a1d418; JMP R11} .text C:\Program Files\Firefox Developer Edition\firefox.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e21390 13 bytes {MOV R11, 0x7fee3a1d668; JMP R11} .text C:\Program Files\Firefox Developer Edition\firefox.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFileGather 0000000076e214c0 13 bytes {MOV R11, 0x7fee3f941cc; JMP R11} .text C:\Program Files\Firefox Developer Edition\firefox.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtReadFileScatter 0000000076e215f0 13 bytes {MOV R11, 0x7fee3f94110; JMP R11} .text C:\Program Files\Firefox Developer Edition\firefox.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtFlushBuffersFile 0000000076e217c0 13 bytes {MOV R11, 0x7fee3a1d3c4; JMP R11} .text C:\Program Files\Firefox Developer Edition\firefox.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e21860 13 bytes {MOV R11, 0x7fee3a1d568; JMP R11} .text C:\Program Files\Firefox Developer Edition\firefox.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000076e22470 13 bytes {MOV R11, 0x7fee3a1d4d4; JMP R11} .text C:\Program Files\Firefox Developer Edition\firefox.exe[2340] C:\Windows\system32\KERNEL32.dll!SetUnhandledExceptionFilter 0000000076cc9b70 13 bytes {MOV R11, 0x7fee3c523dc; JMP R11} .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076df7a90 13 bytes {MOV R11, 0x7fefa9d9620; JMP R11} .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Program Files\Firefox Developer Edition\plugin-container.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e213c0 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e21410 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21570 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e215c0 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e215d0 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21680 1 byte JMP 0000000076f80310 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000076e21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e216b0 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e216d0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e21710 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21790 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e217b0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e217f0 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e21830 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e21840 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e219a0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b60 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b90 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c70 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c80 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21ce0 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d70 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d90 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21da0 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21e10 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21e40 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e21fe0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e22100 5 bytes JMP 0000000076f801d0 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e221c0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e221f0 5 bytes JMP 0000000076f804b0 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e22200 5 bytes JMP 0000000076f804c0 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e22230 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e22240 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e222a0 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e222f0 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e22320 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e22330 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e22620 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e22780 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e22820 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e22830 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e22840 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e22a00 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e22a10 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a80 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22ae0 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22af0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22b00 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22be0 1 byte JMP 0000000076f80270 .text C:\Windows\system32\NOTEPAD.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000076e22be2 3 bytes {JMP 0x15d690} ---- EOF - GMER 2.2 ----