GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-21 19:11:06 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.0004SDM1 465,76GB Running: d1rn33vh.exe; Driver: C:\Users\Natalia\AppData\Local\Temp\kfliikob.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 000000004a640480 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 000000004a640470 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 000000004a640360 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 000000004a640490 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 000000004a6403d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 000000004a640310 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0xffffffffd2b1ec90} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 000000004a6403a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 000000004a640380 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 000000004a6402d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 000000004a6402c0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 000000004a640300 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 000000004a6403b0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 000000004a640440 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 000000004a6403e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 000000004a640220 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 000000004a6404a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 000000004a640390 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 000000004a6402e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 000000004a640340 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 000000004a640280 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 000000004a6402a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 000000004a6403c0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 000000004a640320 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 000000004a640410 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 000000004a640230 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 000000004a6403f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 000000004a6401d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 000000004a640240 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 000000004a6404b0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 000000004a6404c0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 000000004a6402f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 000000004a640350 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 000000004a640290 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 000000004a6402b0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 000000004a640370 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 000000004a640330 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 000000004a640460 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 000000004a640420 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 000000004a640250 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 000000004a640260 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 000000004a640400 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 000000004a6401e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 000000004a640200 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 000000004a6401f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 000000004a640430 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 000000004a640450 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 000000004a640210 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 000000004a640270 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0xffffffffd2b1d690} .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 000000004a640480 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 000000004a640470 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 000000004a640360 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 000000004a640490 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 000000004a6403d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 000000004a640310 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0xffffffffd2b1ec90} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 000000004a6403a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 000000004a640380 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 000000004a6402d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 000000004a6402c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 000000004a640300 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 000000004a6403b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 000000004a640440 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 000000004a6403e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 000000004a640220 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 000000004a6404a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 000000004a640390 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 000000004a6402e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 000000004a640340 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 000000004a640280 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 000000004a6402a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 000000004a6403c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 000000004a640320 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 000000004a640410 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 000000004a640230 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 000000004a6403f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 000000004a6401d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 000000004a640240 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 000000004a6404b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 000000004a6404c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 000000004a6402f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 000000004a640350 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 000000004a640290 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 000000004a6402b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 000000004a640370 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 000000004a640330 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 000000004a640460 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 000000004a640420 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 000000004a640250 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 000000004a640260 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 000000004a640400 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 000000004a6401e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 000000004a640200 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 000000004a6401f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 000000004a640430 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 000000004a640450 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 000000004a640210 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 000000004a640270 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0xffffffffd2b1d690} .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0xffffffff8854ec90} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0xffffffff8854d690} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000000070480 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000000070470 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000000070360 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000000070490 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000000070310 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0xffffffff8854ec90} .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000000070380 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 00000000000702c0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000000070300 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000000070440 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000000070220 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000000070390 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000000070340 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000000070280 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 00000000000702a0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 00000000000703c0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000000070320 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000000070410 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000000070230 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 00000000000703f0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 00000000000701d0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000000070240 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 00000000000704b0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 00000000000704c0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000000070350 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000000070290 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000000070370 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000000070330 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000000070460 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000000070420 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000000070250 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000000070260 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000000070400 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000000070200 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000000070430 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000000070450 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000000070210 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000000070270 .text C:\Windows\System32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0xffffffff8854d690} .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\Dwm.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Program Files\Microsoft Security Client\msseces.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\System32\hkcmd.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\System32\igfxpers.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Program Files\Windows Sidebar\sidebar.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\System32\spoolsv.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\taskhost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000772b1465 2 bytes [2B, 77] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772b14bb 2 bytes [2B, 77] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1888] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 0000000071cc11a8 2 bytes [CC, 71] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1888] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 0000000071cc13a8 2 bytes [CC, 71] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1888] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000071cc1422 2 bytes [CC, 71] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1888] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000071cc1498 2 bytes [CC, 71] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000000070480 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000000070470 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000000070360 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000000070490 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 00000000000703d0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000000070310 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0xffffffff8854ec90} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 00000000000703a0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000000070380 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 00000000000702d0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 00000000000702c0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000000070300 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 00000000000703b0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000000070440 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 00000000000703e0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000000070220 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 00000000000704a0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000000070390 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 00000000000702e0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000000070340 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000000070280 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 00000000000702a0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 00000000000703c0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000000070320 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000000070410 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000000070230 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 00000000000703f0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 00000000000701d0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000000070240 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 00000000000704b0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 00000000000704c0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 00000000000702f0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000000070350 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000000070290 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 00000000000702b0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000000070370 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000000070330 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000000070460 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000000070420 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000000070250 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000000070260 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000000070400 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 00000000000701e0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000000070200 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 00000000000701f0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000000070430 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000000070450 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000000070210 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000000070270 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0xffffffff8854d690} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000000070480 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000000070470 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000000070360 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000000070490 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 00000000000703d0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000000070310 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0xffffffff8854ec90} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 00000000000703a0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000000070380 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 00000000000702d0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 00000000000702c0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000000070300 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 00000000000703b0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000000070440 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 00000000000703e0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000000070220 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 00000000000704a0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000000070390 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 00000000000702e0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000000070340 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000000070280 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 00000000000702a0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 00000000000703c0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000000070320 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000000070410 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000000070230 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 00000000000703f0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 00000000000701d0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000000070240 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 00000000000704b0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 00000000000704c0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 00000000000702f0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000000070350 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000000070290 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 00000000000702b0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000000070370 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000000070330 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000000070460 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000000070420 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000000070250 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000000070260 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000000070400 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 00000000000701e0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000000070200 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 00000000000701f0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000000070430 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000000070450 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000000070210 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000000070270 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0xffffffff8854d690} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2964] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000777287c9 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000772b1465 2 bytes [2B, 77] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772b14bb 2 bytes [2B, 77] .text ... * 2 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\wbem\wmiprvse.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\wbem\wmiprvse.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\svchost.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b213c0 5 bytes JMP 0000000077c80480 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b21410 5 bytes JMP 0000000077c80470 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b21570 5 bytes JMP 0000000077c80360 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b215c0 5 bytes JMP 0000000077c80490 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b215d0 5 bytes JMP 0000000077c803d0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b21680 1 byte JMP 0000000077c80310 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077b21682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b216b0 5 bytes JMP 0000000077c803a0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b216d0 5 bytes JMP 0000000077c80380 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b21710 5 bytes JMP 0000000077c802d0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b21790 5 bytes JMP 0000000077c802c0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b217b0 5 bytes JMP 0000000077c80300 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b217f0 5 bytes JMP 0000000077c803b0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b21830 5 bytes JMP 0000000077c80440 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b21840 5 bytes JMP 0000000077c803e0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b219a0 5 bytes JMP 0000000077c80220 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b21b60 5 bytes JMP 0000000077c804a0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b21b90 5 bytes JMP 0000000077c80390 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b21c70 5 bytes JMP 0000000077c802e0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b21c80 5 bytes JMP 0000000077c80340 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b21ce0 5 bytes JMP 0000000077c80280 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b21d70 5 bytes JMP 0000000077c802a0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b21d90 5 bytes JMP 0000000077c803c0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b21da0 5 bytes JMP 0000000077c80320 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b21e10 5 bytes JMP 0000000077c80410 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b21e40 5 bytes JMP 0000000077c80230 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b21fe0 5 bytes JMP 0000000077c803f0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b22100 5 bytes JMP 0000000077c801d0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b221c0 5 bytes JMP 0000000077c80240 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b221f0 5 bytes JMP 0000000077c804b0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b22200 5 bytes JMP 0000000077c804c0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b22230 5 bytes JMP 0000000077c802f0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b22240 5 bytes JMP 0000000077c80350 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b222a0 5 bytes JMP 0000000077c80290 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b222f0 5 bytes JMP 0000000077c802b0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b22320 5 bytes JMP 0000000077c80370 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b22330 5 bytes JMP 0000000077c80330 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b22620 5 bytes JMP 0000000077c80460 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b22780 5 bytes JMP 0000000077c80420 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b22820 5 bytes JMP 0000000077c80250 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b22830 5 bytes JMP 0000000077c80260 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b22840 5 bytes JMP 0000000077c80400 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b22a00 5 bytes JMP 0000000077c801e0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b22a10 5 bytes JMP 0000000077c80200 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b22a80 5 bytes JMP 0000000077c801f0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b22ae0 5 bytes JMP 0000000077c80430 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b22af0 5 bytes JMP 0000000077c80450 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b22b00 5 bytes JMP 0000000077c80210 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b22be0 1 byte JMP 0000000077c80270 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077b22be2 3 bytes {JMP 0x15d690} ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dca971a492db Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dca971a492db@045a955ab6a2 0x16 0xF9 0x6E 0x44 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dca971a492db@30766f7a4cda 0xCE 0xEA 0x13 0x37 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dca971a492db@1caf05592ba0 0x84 0x87 0x1B 0x6D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dca971a492db (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dca971a492db@045a955ab6a2 0x16 0xF9 0x6E 0x44 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dca971a492db@30766f7a4cda 0xCE 0xEA 0x13 0x37 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dca971a492db@1caf05592ba0 0x84 0x87 0x1B 0x6D ... ---- EOF - GMER 2.2 ----