GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-15 17:42:37 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006d CT250BX1 rev.MU02 232,89GB Running: b9fuj3x4.exe; Driver: C:\Users\Kuba\AppData\Local\Temp\pgddyaoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 000000004a0d0480 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 000000004a0d0470 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 000000004a0d0360 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 000000004a0d0490 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 000000004a0d03d0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 000000004a0d0310 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 000000004a0d03a0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 000000004a0d0380 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0xffffffffd29b4490} .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 000000004a0d02d0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 000000004a0d02c0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 000000004a0d0300 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 000000004a0d03b0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 000000004a0d0440 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 000000004a0d03e0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 000000004a0d0220 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 000000004a0d04a0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 000000004a0d0390 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 000000004a0d02e0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 000000004a0d0340 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 000000004a0d0280 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 000000004a0d02a0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 000000004a0d03c0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 000000004a0d0320 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 000000004a0d0410 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 000000004a0d0230 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 000000004a0d03f0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 000000004a0d01d0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 000000004a0d0240 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 000000004a0d04b0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 000000004a0d04c0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 000000004a0d02f0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 000000004a0d0350 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 000000004a0d0290 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 000000004a0d02b0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 000000004a0d0370 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 000000004a0d0330 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 000000004a0d0460 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 000000004a0d0420 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 000000004a0d0250 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 000000004a0d0260 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 000000004a0d0400 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 000000004a0d01e0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 000000004a0d0200 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 000000004a0d01f0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 000000004a0d0430 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 000000004a0d0450 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 000000004a0d0210 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 000000004a0d0270 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 000000004a0d0480 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 000000004a0d0470 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 000000004a0d0360 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 000000004a0d0490 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 000000004a0d03d0 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 000000004a0d0310 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 000000004a0d03a0 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 000000004a0d0380 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0xffffffffd29b4490} .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 000000004a0d02d0 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 000000004a0d02c0 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 000000004a0d0300 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 000000004a0d03b0 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 000000004a0d0440 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 000000004a0d03e0 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 000000004a0d0220 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 000000004a0d04a0 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 000000004a0d0390 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 000000004a0d02e0 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 000000004a0d0340 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 000000004a0d0280 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 000000004a0d02a0 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 000000004a0d03c0 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 000000004a0d0320 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 000000004a0d0410 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 000000004a0d0230 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 000000004a0d03f0 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 000000004a0d01d0 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 000000004a0d0240 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 000000004a0d04b0 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 000000004a0d04c0 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 000000004a0d02f0 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 000000004a0d0350 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 000000004a0d0290 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 000000004a0d02b0 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 000000004a0d0370 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 000000004a0d0330 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 000000004a0d0460 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 000000004a0d0420 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 000000004a0d0250 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 000000004a0d0260 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 000000004a0d0400 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 000000004a0d01e0 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 000000004a0d0200 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 000000004a0d01f0 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 000000004a0d0430 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 000000004a0d0450 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 000000004a0d0210 .text C:\Windows\system32\csrss.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 000000004a0d0270 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0xffffffff88954490} .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\lsass.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0xffffffff88954490} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\system32\nvvsvc.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\System32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\system32\AUDIODG.EXE[1096] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0xffffffff88954490} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\system32\nvvsvc.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\system32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\System32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1584] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076db2bdc 5 bytes JMP 0000000001028d78 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\system32\svchost.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\system32\SearchIndexer.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\System32\svchost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\System32\svchost.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\servicing\TrustedInstaller.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007771bbe0 5 bytes JMP 0000000077880480 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007771bc30 5 bytes JMP 0000000077880470 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007771bd90 5 bytes JMP 0000000077880360 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007771bde0 5 bytes JMP 0000000077880490 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007771bdf0 5 bytes JMP 00000000778803d0 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007771bea0 5 bytes JMP 0000000077880310 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007771bed0 5 bytes JMP 00000000778803a0 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007771bef0 1 byte JMP 0000000077880380 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007771bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007771bf30 5 bytes JMP 00000000778802d0 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007771bfb0 5 bytes JMP 00000000778802c0 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007771bfd0 5 bytes JMP 0000000077880300 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007771c010 5 bytes JMP 00000000778803b0 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007771c050 5 bytes JMP 0000000077880440 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007771c060 5 bytes JMP 00000000778803e0 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007771c1c0 5 bytes JMP 0000000077880220 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007771c380 5 bytes JMP 00000000778804a0 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007771c3b0 5 bytes JMP 0000000077880390 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007771c490 5 bytes JMP 00000000778802e0 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007771c4a0 5 bytes JMP 0000000077880340 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007771c500 5 bytes JMP 0000000077880280 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007771c590 5 bytes JMP 00000000778802a0 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007771c5b0 5 bytes JMP 00000000778803c0 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007771c5c0 5 bytes JMP 0000000077880320 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007771c630 5 bytes JMP 0000000077880410 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007771c660 5 bytes JMP 0000000077880230 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007771c800 5 bytes JMP 00000000778803f0 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007771c920 5 bytes JMP 00000000778801d0 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007771c9e0 5 bytes JMP 0000000077880240 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007771ca10 5 bytes JMP 00000000778804b0 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007771ca20 5 bytes JMP 00000000778804c0 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007771ca50 5 bytes JMP 00000000778802f0 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007771ca60 5 bytes JMP 0000000077880350 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007771cac0 5 bytes JMP 0000000077880290 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007771cb10 5 bytes JMP 00000000778802b0 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007771cb40 5 bytes JMP 0000000077880370 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007771cb50 5 bytes JMP 0000000077880330 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007771ce40 5 bytes JMP 0000000077880460 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007771cfa0 5 bytes JMP 0000000077880420 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007771d040 5 bytes JMP 0000000077880250 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007771d050 5 bytes JMP 0000000077880260 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007771d060 5 bytes JMP 0000000077880400 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007771d220 5 bytes JMP 00000000778801e0 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007771d230 5 bytes JMP 0000000077880200 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007771d2a0 5 bytes JMP 00000000778801f0 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007771d300 5 bytes JMP 0000000077880430 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007771d310 5 bytes JMP 0000000077880450 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007771d320 5 bytes JMP 0000000077880210 .text C:\Windows\system32\wbem\wmiprvse.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007771d400 5 bytes JMP 0000000077880270 ---- Threads - GMER 2.2 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3976:1500] 000007fefb862af4 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3976:1508] 000007feef5d8f70 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3976:4436] 000007fef8265124 ---- EOF - GMER 2.2 ----