GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-17 18:39:10 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000064 Hitachi_ rev.FBEO 232,89GB Running: xfqd4wwd.exe; Driver: C:\Users\Miecia\AppData\Local\Temp\pwryypoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077371360 5 bytes JMP 0000000049c30368 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773713b0 5 bytes JMP 0000000049c30360 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000773714e0 5 bytes JMP 0000000049c30358 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077371510 5 bytes JMP 0000000049c302c8 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077371560 5 bytes JMP 0000000049c30370 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077371570 1 byte JMP 0000000049c30300 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 0000000077371572 3 bytes {JMP 0xffffffffd28bed90} .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077371620 5 bytes JMP 0000000049c302a0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077371650 5 bytes JMP 0000000049c302e8 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077371670 5 bytes JMP 0000000049c302d8 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773716b0 5 bytes JMP 0000000049c30280 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077371730 5 bytes JMP 0000000049c30278 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077371750 5 bytes JMP 0000000049c30298 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077371790 5 bytes JMP 0000000049c302f0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773717d0 5 bytes JMP 0000000049c30338 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773717e0 5 bytes JMP 0000000049c30308 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077371940 5 bytes JMP 0000000049c30228 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077371b00 5 bytes JMP 0000000049c30378 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077371b30 5 bytes JMP 0000000049c302e0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077371c10 5 bytes JMP 0000000049c30288 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077371c20 5 bytes JMP 0000000049c302b8 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077371c80 5 bytes JMP 0000000049c30258 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077371d10 5 bytes JMP 0000000049c30268 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077371d30 5 bytes JMP 0000000049c302f8 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077371d40 5 bytes JMP 0000000049c302a8 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077371db0 5 bytes JMP 0000000049c30320 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077371de0 5 bytes JMP 0000000049c30230 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077371f80 1 byte JMP 0000000049c30310 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 0000000077371f82 3 bytes {JMP 0xffffffffd28be390} .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773720a0 5 bytes JMP 0000000049c30200 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077372160 5 bytes JMP 0000000049c30238 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077372190 5 bytes JMP 0000000049c303d0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773721a0 5 bytes JMP 0000000049c303d8 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773721d0 5 bytes JMP 0000000049c30290 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773721e0 5 bytes JMP 0000000049c302c0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077372240 5 bytes JMP 0000000049c30260 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077372290 5 bytes JMP 0000000049c30270 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773722c0 5 bytes JMP 0000000049c302d0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773722d0 5 bytes JMP 0000000049c302b0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773725c0 1 byte JMP 0000000049c30350 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000773725c2 3 bytes {JMP 0xffffffffd28bdd90} .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077372720 5 bytes JMP 0000000049c30328 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773727c0 5 bytes JMP 0000000049c30240 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773727d0 5 bytes JMP 0000000049c30248 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773727e0 5 bytes JMP 0000000049c30318 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773729a0 5 bytes JMP 0000000049c30208 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773729b0 5 bytes JMP 0000000049c30218 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077372a20 5 bytes JMP 0000000049c30210 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077372a80 5 bytes JMP 0000000049c30330 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077372a90 5 bytes JMP 0000000049c30340 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077372aa0 5 bytes JMP 0000000049c30220 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077372b80 5 bytes JMP 0000000049c30250 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077371360 5 bytes JMP 0000000049c30368 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773713b0 5 bytes JMP 0000000049c30360 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000773714e0 5 bytes JMP 0000000049c30358 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077371510 5 bytes JMP 0000000049c302c8 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077371560 5 bytes JMP 0000000049c30370 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077371570 1 byte JMP 0000000049c30300 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 0000000077371572 3 bytes {JMP 0xffffffffd28bed90} .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077371620 5 bytes JMP 0000000049c302a0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077371650 5 bytes JMP 0000000049c302e8 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077371670 5 bytes JMP 0000000049c302d8 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773716b0 5 bytes JMP 0000000049c30280 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077371730 5 bytes JMP 0000000049c30278 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077371750 5 bytes JMP 0000000049c30298 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077371790 5 bytes JMP 0000000049c302f0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773717d0 5 bytes JMP 0000000049c30338 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773717e0 5 bytes JMP 0000000049c30308 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077371940 5 bytes JMP 0000000049c30228 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077371b00 5 bytes JMP 0000000049c30378 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077371b30 5 bytes JMP 0000000049c302e0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077371c10 5 bytes JMP 0000000049c30288 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077371c20 5 bytes JMP 0000000049c302b8 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077371c80 5 bytes JMP 0000000049c30258 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077371d10 5 bytes JMP 0000000049c30268 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077371d30 5 bytes JMP 0000000049c302f8 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077371d40 5 bytes JMP 0000000049c302a8 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077371db0 5 bytes JMP 0000000049c30320 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077371de0 5 bytes JMP 0000000049c30230 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077371f80 1 byte JMP 0000000049c30310 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 0000000077371f82 3 bytes {JMP 0xffffffffd28be390} .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773720a0 5 bytes JMP 0000000049c30200 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077372160 5 bytes JMP 0000000049c30238 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077372190 5 bytes JMP 0000000049c303d0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773721a0 5 bytes JMP 0000000049c303d8 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773721d0 5 bytes JMP 0000000049c30290 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773721e0 5 bytes JMP 0000000049c302c0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077372240 5 bytes JMP 0000000049c30260 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077372290 5 bytes JMP 0000000049c30270 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773722c0 5 bytes JMP 0000000049c302d0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773722d0 5 bytes JMP 0000000049c302b0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773725c0 1 byte JMP 0000000049c30350 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000773725c2 3 bytes {JMP 0xffffffffd28bdd90} .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077372720 5 bytes JMP 0000000049c30328 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773727c0 5 bytes JMP 0000000049c30240 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773727d0 5 bytes JMP 0000000049c30248 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773727e0 5 bytes JMP 0000000049c30318 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773729a0 5 bytes JMP 0000000049c30208 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773729b0 5 bytes JMP 0000000049c30218 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077372a20 5 bytes JMP 0000000049c30210 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077372a80 5 bytes JMP 0000000049c30330 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077372a90 5 bytes JMP 0000000049c30340 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077372aa0 5 bytes JMP 0000000049c30220 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077372b80 5 bytes JMP 0000000049c30250 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077371360 5 bytes JMP 00000000774d0368 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773713b0 5 bytes JMP 00000000774d0360 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000773714e0 5 bytes JMP 00000000774d0358 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077371510 5 bytes JMP 00000000774d02c8 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077371560 5 bytes JMP 00000000774d0370 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077371570 1 byte JMP 00000000774d0300 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 0000000077371572 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077371620 5 bytes JMP 00000000774d02a0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077371650 5 bytes JMP 00000000774d02e8 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077371670 5 bytes JMP 00000000774d02d8 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773716b0 5 bytes JMP 00000000774d0280 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077371730 5 bytes JMP 00000000774d0278 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077371750 5 bytes JMP 00000000774d0298 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077371790 5 bytes JMP 00000000774d02f0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773717d0 5 bytes JMP 00000000774d0338 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773717e0 5 bytes JMP 00000000774d0308 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077371940 5 bytes JMP 00000000774d0228 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077371b00 5 bytes JMP 00000000774d0378 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077371b30 5 bytes JMP 00000000774d02e0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077371c10 5 bytes JMP 00000000774d0288 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077371c20 5 bytes JMP 00000000774d02b8 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077371c80 5 bytes JMP 00000000774d0258 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077371d10 5 bytes JMP 00000000774d0268 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077371d30 5 bytes JMP 00000000774d02f8 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077371d40 5 bytes JMP 00000000774d02a8 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077371db0 5 bytes JMP 00000000774d0320 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077371de0 5 bytes JMP 00000000774d0230 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077371f80 1 byte JMP 00000000774d0310 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 0000000077371f82 3 bytes {JMP 0x15e390} .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773720a0 5 bytes JMP 00000000774d0200 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077372160 5 bytes JMP 00000000774d0238 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077372190 5 bytes JMP 00000000774d03d0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773721a0 5 bytes JMP 00000000774d03d8 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773721d0 5 bytes JMP 00000000774d0290 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773721e0 5 bytes JMP 00000000774d02c0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077372240 5 bytes JMP 00000000774d0260 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077372290 5 bytes JMP 00000000774d0270 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773722c0 5 bytes JMP 00000000774d02d0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773722d0 5 bytes JMP 00000000774d02b0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773725c0 1 byte JMP 00000000774d0350 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000773725c2 3 bytes {JMP 0x15dd90} .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077372720 5 bytes JMP 00000000774d0328 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773727c0 5 bytes JMP 00000000774d0240 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773727d0 5 bytes JMP 00000000774d0248 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773727e0 5 bytes JMP 00000000774d0318 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773729a0 5 bytes JMP 00000000774d0208 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773729b0 5 bytes JMP 00000000774d0218 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077372a20 5 bytes JMP 00000000774d0210 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077372a80 5 bytes JMP 00000000774d0330 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077372a90 5 bytes JMP 00000000774d0340 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077372aa0 5 bytes JMP 00000000774d0220 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077372b80 5 bytes JMP 00000000774d0250 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077371360 5 bytes JMP 00000000774d0368 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773713b0 5 bytes JMP 00000000774d0360 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000773714e0 5 bytes JMP 00000000774d0358 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077371510 5 bytes JMP 00000000774d02c8 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077371560 5 bytes JMP 00000000774d0370 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077371570 1 byte JMP 00000000774d0300 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 0000000077371572 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077371620 5 bytes JMP 00000000774d02a0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077371650 5 bytes JMP 00000000774d02e8 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077371670 5 bytes JMP 00000000774d02d8 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773716b0 5 bytes JMP 00000000774d0280 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077371730 5 bytes JMP 00000000774d0278 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077371750 5 bytes JMP 00000000774d0298 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077371790 5 bytes JMP 00000000774d02f0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773717d0 5 bytes JMP 00000000774d0338 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773717e0 5 bytes JMP 00000000774d0308 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077371940 5 bytes JMP 00000000774d0228 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077371b00 5 bytes JMP 00000000774d0378 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077371b30 5 bytes JMP 00000000774d02e0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077371c10 5 bytes JMP 00000000774d0288 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077371c20 5 bytes JMP 00000000774d02b8 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077371c80 5 bytes JMP 00000000774d0258 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077371d10 5 bytes JMP 00000000774d0268 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077371d30 5 bytes JMP 00000000774d02f8 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077371d40 5 bytes JMP 00000000774d02a8 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077371db0 5 bytes JMP 00000000774d0320 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077371de0 5 bytes JMP 00000000774d0230 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077371f80 1 byte JMP 00000000774d0310 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 0000000077371f82 3 bytes {JMP 0x15e390} .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773720a0 5 bytes JMP 00000000774d0200 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077372160 5 bytes JMP 00000000774d0238 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077372190 5 bytes JMP 00000000774d03d0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773721a0 5 bytes JMP 00000000774d03d8 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773721d0 5 bytes JMP 00000000774d0290 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773721e0 5 bytes JMP 00000000774d02c0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077372240 5 bytes JMP 00000000774d0260 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077372290 5 bytes JMP 00000000774d0270 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773722c0 5 bytes JMP 00000000774d02d0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773722d0 5 bytes JMP 00000000774d02b0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773725c0 1 byte JMP 00000000774d0350 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000773725c2 3 bytes {JMP 0x15dd90} .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077372720 5 bytes JMP 00000000774d0328 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773727c0 5 bytes JMP 00000000774d0240 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773727d0 5 bytes JMP 00000000774d0248 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773727e0 5 bytes JMP 00000000774d0318 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773729a0 5 bytes JMP 00000000774d0208 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773729b0 5 bytes JMP 00000000774d0218 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077372a20 5 bytes JMP 00000000774d0210 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077372a80 5 bytes JMP 00000000774d0330 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077372a90 5 bytes JMP 00000000774d0340 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077372aa0 5 bytes JMP 00000000774d0220 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077372b80 5 bytes JMP 00000000774d0250 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077371360 5 bytes JMP 00000000774d0368 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773713b0 5 bytes JMP 00000000774d0360 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000773714e0 5 bytes JMP 00000000774d0358 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077371510 5 bytes JMP 00000000774d02c8 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077371560 5 bytes JMP 00000000774d0370 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077371570 1 byte JMP 00000000774d0300 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 0000000077371572 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077371620 5 bytes JMP 00000000774d02a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077371650 5 bytes JMP 00000000774d02e8 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077371670 5 bytes JMP 00000000774d02d8 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773716b0 5 bytes JMP 00000000774d0280 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077371730 5 bytes JMP 00000000774d0278 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077371750 5 bytes JMP 00000000774d0298 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077371790 5 bytes JMP 00000000774d02f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773717d0 5 bytes JMP 00000000774d0338 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773717e0 5 bytes JMP 00000000774d0308 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077371940 5 bytes JMP 00000000774d0228 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077371b00 5 bytes JMP 00000000774d0378 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077371b30 5 bytes JMP 00000000774d02e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077371c10 5 bytes JMP 00000000774d0288 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077371c20 5 bytes JMP 00000000774d02b8 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077371c80 5 bytes JMP 00000000774d0258 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077371d10 5 bytes JMP 00000000774d0268 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077371d30 5 bytes JMP 00000000774d02f8 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077371d40 5 bytes JMP 00000000774d02a8 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077371db0 5 bytes JMP 00000000774d0320 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077371de0 5 bytes JMP 00000000774d0230 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077371f80 1 byte JMP 00000000774d0310 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 0000000077371f82 3 bytes {JMP 0x15e390} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773720a0 5 bytes JMP 00000000774d0200 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077372160 5 bytes JMP 00000000774d0238 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077372190 5 bytes JMP 00000000774d03d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773721a0 5 bytes JMP 00000000774d03d8 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773721d0 5 bytes JMP 00000000774d0290 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773721e0 5 bytes JMP 00000000774d02c0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077372240 5 bytes JMP 00000000774d0260 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077372290 5 bytes JMP 00000000774d0270 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773722c0 5 bytes JMP 00000000774d02d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773722d0 5 bytes JMP 00000000774d02b0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773725c0 1 byte JMP 00000000774d0350 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000773725c2 3 bytes {JMP 0x15dd90} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077372720 5 bytes JMP 00000000774d0328 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773727c0 5 bytes JMP 00000000774d0240 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773727d0 5 bytes JMP 00000000774d0248 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773727e0 5 bytes JMP 00000000774d0318 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773729a0 5 bytes JMP 00000000774d0208 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773729b0 5 bytes JMP 00000000774d0218 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077372a20 5 bytes JMP 00000000774d0210 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077372a80 5 bytes JMP 00000000774d0330 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077372a90 5 bytes JMP 00000000774d0340 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077372aa0 5 bytes JMP 00000000774d0220 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077372b80 5 bytes JMP 00000000774d0250 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077371360 5 bytes JMP 00000000774d0368 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773713b0 5 bytes JMP 00000000774d0360 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000773714e0 5 bytes JMP 00000000774d0358 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077371510 5 bytes JMP 00000000774d02c8 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077371560 5 bytes JMP 00000000774d0370 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077371570 1 byte JMP 00000000774d0300 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 0000000077371572 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077371620 5 bytes JMP 00000000774d02a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077371650 5 bytes JMP 00000000774d02e8 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077371670 5 bytes JMP 00000000774d02d8 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773716b0 5 bytes JMP 00000000774d0280 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077371730 5 bytes JMP 00000000774d0278 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077371750 5 bytes JMP 00000000774d0298 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077371790 5 bytes JMP 00000000774d02f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773717d0 5 bytes JMP 00000000774d0338 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773717e0 5 bytes JMP 00000000774d0308 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077371940 5 bytes JMP 00000000774d0228 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077371b00 5 bytes JMP 00000000774d0378 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077371b30 5 bytes JMP 00000000774d02e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077371c10 5 bytes JMP 00000000774d0288 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077371c20 5 bytes JMP 00000000774d02b8 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077371c80 5 bytes JMP 00000000774d0258 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077371d10 5 bytes JMP 00000000774d0268 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077371d30 5 bytes JMP 00000000774d02f8 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077371d40 5 bytes JMP 00000000774d02a8 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077371db0 5 bytes JMP 00000000774d0320 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077371de0 5 bytes JMP 00000000774d0230 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077371f80 1 byte JMP 00000000774d0310 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 0000000077371f82 3 bytes {JMP 0x15e390} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773720a0 5 bytes JMP 00000000774d0200 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077372160 5 bytes JMP 00000000774d0238 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077372190 5 bytes JMP 00000000774d03d0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773721a0 5 bytes JMP 00000000774d03d8 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773721d0 5 bytes JMP 00000000774d0290 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773721e0 5 bytes JMP 00000000774d02c0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077372240 5 bytes JMP 00000000774d0260 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077372290 5 bytes JMP 00000000774d0270 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773722c0 5 bytes JMP 00000000774d02d0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773722d0 5 bytes JMP 00000000774d02b0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773725c0 1 byte JMP 00000000774d0350 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000773725c2 3 bytes {JMP 0x15dd90} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077372720 5 bytes JMP 00000000774d0328 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773727c0 5 bytes JMP 00000000774d0240 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773727d0 5 bytes JMP 00000000774d0248 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773727e0 5 bytes JMP 00000000774d0318 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773729a0 5 bytes JMP 00000000774d0208 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773729b0 5 bytes JMP 00000000774d0218 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077372a20 5 bytes JMP 00000000774d0210 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077372a80 5 bytes JMP 00000000774d0330 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077372a90 5 bytes JMP 00000000774d0340 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077372aa0 5 bytes JMP 00000000774d0220 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077372b80 5 bytes JMP 00000000774d0250 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077371360 5 bytes JMP 00000000774d0368 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773713b0 5 bytes JMP 00000000774d0360 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000773714e0 5 bytes JMP 00000000774d0358 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077371510 5 bytes JMP 00000000774d02c8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077371560 5 bytes JMP 00000000774d0370 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077371570 1 byte JMP 00000000774d0300 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 0000000077371572 3 bytes {JMP 0x15ed90} .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077371620 5 bytes JMP 00000000774d02a0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077371650 5 bytes JMP 00000000774d02e8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077371670 5 bytes JMP 00000000774d02d8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773716b0 5 bytes JMP 00000000774d0280 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077371730 5 bytes JMP 00000000774d0278 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077371750 5 bytes JMP 00000000774d0298 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077371790 5 bytes JMP 00000000774d02f0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773717d0 5 bytes JMP 00000000774d0338 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773717e0 5 bytes JMP 00000000774d0308 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077371940 5 bytes JMP 00000000774d0228 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077371b00 5 bytes JMP 00000000774d0378 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077371b30 5 bytes JMP 00000000774d02e0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077371c10 5 bytes JMP 00000000774d0288 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077371c20 5 bytes JMP 00000000774d02b8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077371c80 5 bytes JMP 00000000774d0258 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077371d10 5 bytes JMP 00000000774d0268 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077371d30 5 bytes JMP 00000000774d02f8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077371d40 5 bytes JMP 00000000774d02a8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077371db0 5 bytes JMP 00000000774d0320 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077371de0 5 bytes JMP 00000000774d0230 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077371f80 1 byte JMP 00000000774d0310 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 0000000077371f82 3 bytes {JMP 0x15e390} .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773720a0 5 bytes JMP 00000000774d0200 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077372160 5 bytes JMP 00000000774d0238 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077372190 5 bytes JMP 00000000774d03d0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773721a0 5 bytes JMP 00000000774d03d8 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773721d0 5 bytes JMP 00000000774d0290 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773721e0 5 bytes JMP 00000000774d02c0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077372240 5 bytes JMP 00000000774d0260 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077372290 5 bytes JMP 00000000774d0270 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773722c0 5 bytes JMP 00000000774d02d0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773722d0 5 bytes JMP 00000000774d02b0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773725c0 1 byte JMP 00000000774d0350 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000773725c2 3 bytes {JMP 0x15dd90} .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077372720 5 bytes JMP 00000000774d0328 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773727c0 5 bytes JMP 00000000774d0240 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773727d0 5 bytes JMP 00000000774d0248 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773727e0 5 bytes JMP 00000000774d0318 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773729a0 5 bytes JMP 00000000774d0208 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773729b0 5 bytes JMP 00000000774d0218 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077372a20 5 bytes JMP 00000000774d0210 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077372a80 5 bytes JMP 00000000774d0330 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077372a90 5 bytes JMP 00000000774d0340 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077372aa0 5 bytes JMP 00000000774d0220 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077372b80 5 bytes JMP 00000000774d0250 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077371360 5 bytes JMP 00000000774d0368 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773713b0 5 bytes JMP 00000000774d0360 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000773714e0 5 bytes JMP 00000000774d0358 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077371510 5 bytes JMP 00000000774d02c8 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077371560 5 bytes JMP 00000000774d0370 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077371570 1 byte JMP 00000000774d0300 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 0000000077371572 3 bytes {JMP 0x15ed90} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077371620 5 bytes JMP 00000000774d02a0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077371650 5 bytes JMP 00000000774d02e8 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077371670 5 bytes JMP 00000000774d02d8 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773716b0 5 bytes JMP 00000000774d0280 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077371730 5 bytes JMP 00000000774d0278 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077371750 5 bytes JMP 00000000774d0298 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077371790 5 bytes JMP 00000000774d02f0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773717d0 5 bytes JMP 00000000774d0338 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773717e0 5 bytes JMP 00000000774d0308 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077371940 5 bytes JMP 00000000774d0228 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077371b00 5 bytes JMP 00000000774d0378 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077371b30 5 bytes JMP 00000000774d02e0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077371c10 5 bytes JMP 00000000774d0288 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077371c20 5 bytes JMP 00000000774d02b8 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077371c80 5 bytes JMP 00000000774d0258 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077371d10 5 bytes JMP 00000000774d0268 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077371d30 5 bytes JMP 00000000774d02f8 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077371d40 5 bytes JMP 00000000774d02a8 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077371db0 5 bytes JMP 00000000774d0320 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077371de0 5 bytes JMP 00000000774d0230 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077371f80 1 byte JMP 00000000774d0310 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 0000000077371f82 3 bytes {JMP 0x15e390} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773720a0 5 bytes JMP 00000000774d0200 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077372160 5 bytes JMP 00000000774d0238 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077372190 5 bytes JMP 00000000774d03d0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773721a0 5 bytes JMP 00000000774d03d8 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773721d0 5 bytes JMP 00000000774d0290 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773721e0 5 bytes JMP 00000000774d02c0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077372240 5 bytes JMP 00000000774d0260 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077372290 5 bytes JMP 00000000774d0270 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773722c0 5 bytes JMP 00000000774d02d0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773722d0 5 bytes JMP 00000000774d02b0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773725c0 1 byte JMP 00000000774d0350 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000773725c2 3 bytes {JMP 0x15dd90} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077372720 5 bytes JMP 00000000774d0328 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773727c0 5 bytes JMP 00000000774d0240 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773727d0 5 bytes JMP 00000000774d0248 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773727e0 5 bytes JMP 00000000774d0318 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773729a0 5 bytes JMP 00000000774d0208 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773729b0 5 bytes JMP 00000000774d0218 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077372a20 5 bytes JMP 00000000774d0210 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077372a80 5 bytes JMP 00000000774d0330 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077372a90 5 bytes JMP 00000000774d0340 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077372aa0 5 bytes JMP 00000000774d0220 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077372b80 5 bytes JMP 00000000774d0250 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077371360 5 bytes JMP 00000000774d0368 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773713b0 5 bytes JMP 00000000774d0360 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000773714e0 5 bytes JMP 00000000774d0358 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077371510 5 bytes JMP 00000000774d02c8 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077371560 5 bytes JMP 00000000774d0370 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077371570 1 byte JMP 00000000774d0300 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 0000000077371572 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077371620 5 bytes JMP 00000000774d02a0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077371650 5 bytes JMP 00000000774d02e8 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077371670 5 bytes JMP 00000000774d02d8 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773716b0 5 bytes JMP 00000000774d0280 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077371730 5 bytes JMP 00000000774d0278 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077371750 5 bytes JMP 00000000774d0298 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077371790 5 bytes JMP 00000000774d02f0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773717d0 5 bytes JMP 00000000774d0338 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773717e0 5 bytes JMP 00000000774d0308 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077371940 5 bytes JMP 00000000774d0228 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077371b00 5 bytes JMP 00000000774d0378 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077371b30 5 bytes JMP 00000000774d02e0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077371c10 5 bytes JMP 00000000774d0288 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077371c20 5 bytes JMP 00000000774d02b8 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077371c80 5 bytes JMP 00000000774d0258 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077371d10 5 bytes JMP 00000000774d0268 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077371d30 5 bytes JMP 00000000774d02f8 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077371d40 5 bytes JMP 00000000774d02a8 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077371db0 5 bytes JMP 00000000774d0320 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077371de0 5 bytes JMP 00000000774d0230 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077371f80 1 byte JMP 00000000774d0310 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 0000000077371f82 3 bytes {JMP 0x15e390} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773720a0 5 bytes JMP 00000000774d0200 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077372160 5 bytes JMP 00000000774d0238 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077372190 5 bytes JMP 00000000774d03d0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773721a0 5 bytes JMP 00000000774d03d8 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773721d0 5 bytes JMP 00000000774d0290 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773721e0 5 bytes JMP 00000000774d02c0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077372240 5 bytes JMP 00000000774d0260 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077372290 5 bytes JMP 00000000774d0270 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773722c0 5 bytes JMP 00000000774d02d0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773722d0 5 bytes JMP 00000000774d02b0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773725c0 1 byte JMP 00000000774d0350 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000773725c2 3 bytes {JMP 0x15dd90} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077372720 5 bytes JMP 00000000774d0328 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773727c0 5 bytes JMP 00000000774d0240 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773727d0 5 bytes JMP 00000000774d0248 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773727e0 5 bytes JMP 00000000774d0318 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773729a0 5 bytes JMP 00000000774d0208 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773729b0 5 bytes JMP 00000000774d0218 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077372a20 5 bytes JMP 00000000774d0210 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077372a80 5 bytes JMP 00000000774d0330 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077372a90 5 bytes JMP 00000000774d0340 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077372aa0 5 bytes JMP 00000000774d0220 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077372b80 5 bytes JMP 00000000774d0250 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077371360 5 bytes JMP 00000000774d0368 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773713b0 5 bytes JMP 00000000774d0360 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000773714e0 5 bytes JMP 00000000774d0358 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077371510 5 bytes JMP 00000000774d02c8 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077371560 5 bytes JMP 00000000774d0370 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077371570 1 byte JMP 00000000774d0300 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 0000000077371572 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077371620 5 bytes JMP 00000000774d02a0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077371650 5 bytes JMP 00000000774d02e8 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077371670 5 bytes JMP 00000000774d02d8 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773716b0 5 bytes JMP 00000000774d0280 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077371730 5 bytes JMP 00000000774d0278 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077371750 5 bytes JMP 00000000774d0298 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077371790 5 bytes JMP 00000000774d02f0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773717d0 5 bytes JMP 00000000774d0338 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773717e0 5 bytes JMP 00000000774d0308 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077371940 5 bytes JMP 00000000774d0228 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077371b00 5 bytes JMP 00000000774d0378 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077371b30 5 bytes JMP 00000000774d02e0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077371c10 5 bytes JMP 00000000774d0288 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077371c20 5 bytes JMP 00000000774d02b8 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077371c80 5 bytes JMP 00000000774d0258 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077371d10 5 bytes JMP 00000000774d0268 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077371d30 5 bytes JMP 00000000774d02f8 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077371d40 5 bytes JMP 00000000774d02a8 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077371db0 5 bytes JMP 00000000774d0320 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077371de0 5 bytes JMP 00000000774d0230 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077371f80 1 byte JMP 00000000774d0310 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 0000000077371f82 3 bytes {JMP 0x15e390} .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773720a0 5 bytes JMP 00000000774d0200 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077372160 5 bytes JMP 00000000774d0238 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077372190 5 bytes JMP 00000000774d03d0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773721a0 5 bytes JMP 00000000774d03d8 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773721d0 5 bytes JMP 00000000774d0290 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773721e0 5 bytes JMP 00000000774d02c0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077372240 5 bytes JMP 00000000774d0260 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077372290 5 bytes JMP 00000000774d0270 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773722c0 5 bytes JMP 00000000774d02d0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773722d0 5 bytes JMP 00000000774d02b0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773725c0 1 byte JMP 00000000774d0350 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000773725c2 3 bytes {JMP 0x15dd90} .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077372720 5 bytes JMP 00000000774d0328 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773727c0 5 bytes JMP 00000000774d0240 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773727d0 5 bytes JMP 00000000774d0248 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773727e0 5 bytes JMP 00000000774d0318 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773729a0 5 bytes JMP 00000000774d0208 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773729b0 5 bytes JMP 00000000774d0218 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077372a20 5 bytes JMP 00000000774d0210 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077372a80 5 bytes JMP 00000000774d0330 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077372a90 5 bytes JMP 00000000774d0340 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077372aa0 5 bytes JMP 00000000774d0220 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077372b80 5 bytes JMP 00000000774d0250 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077371360 5 bytes JMP 00000000774d0368 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773713b0 5 bytes JMP 00000000774d0360 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000773714e0 5 bytes JMP 00000000774d0358 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077371510 5 bytes JMP 00000000774d02c8 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077371560 5 bytes JMP 00000000774d0370 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077371570 1 byte JMP 00000000774d0300 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 0000000077371572 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077371620 5 bytes JMP 00000000774d02a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077371650 5 bytes JMP 00000000774d02e8 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077371670 5 bytes JMP 00000000774d02d8 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773716b0 5 bytes JMP 00000000774d0280 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077371730 5 bytes JMP 00000000774d0278 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077371750 5 bytes JMP 00000000774d0298 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077371790 5 bytes JMP 00000000774d02f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773717d0 5 bytes JMP 00000000774d0338 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773717e0 5 bytes JMP 00000000774d0308 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077371940 5 bytes JMP 00000000774d0228 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077371b00 5 bytes JMP 00000000774d0378 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077371b30 5 bytes JMP 00000000774d02e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077371c10 5 bytes JMP 00000000774d0288 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077371c20 5 bytes JMP 00000000774d02b8 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077371c80 5 bytes JMP 00000000774d0258 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077371d10 5 bytes JMP 00000000774d0268 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077371d30 5 bytes JMP 00000000774d02f8 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077371d40 5 bytes JMP 00000000774d02a8 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077371db0 5 bytes JMP 00000000774d0320 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077371de0 5 bytes JMP 00000000774d0230 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077371f80 1 byte JMP 00000000774d0310 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 0000000077371f82 3 bytes {JMP 0x15e390} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773720a0 5 bytes JMP 00000000774d0200 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077372160 5 bytes JMP 00000000774d0238 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077372190 5 bytes JMP 00000000774d03d0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773721a0 5 bytes JMP 00000000774d03d8 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773721d0 5 bytes JMP 00000000774d0290 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773721e0 5 bytes JMP 00000000774d02c0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077372240 5 bytes JMP 00000000774d0260 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077372290 5 bytes JMP 00000000774d0270 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773722c0 5 bytes JMP 00000000774d02d0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773722d0 5 bytes JMP 00000000774d02b0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773725c0 1 byte JMP 00000000774d0350 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000773725c2 3 bytes {JMP 0x15dd90} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077372720 5 bytes JMP 00000000774d0328 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773727c0 5 bytes JMP 00000000774d0240 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773727d0 5 bytes JMP 00000000774d0248 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773727e0 5 bytes JMP 00000000774d0318 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773729a0 5 bytes JMP 00000000774d0208 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773729b0 5 bytes JMP 00000000774d0218 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077372a20 5 bytes JMP 00000000774d0210 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077372a80 5 bytes JMP 00000000774d0330 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077372a90 5 bytes JMP 00000000774d0340 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077372aa0 5 bytes JMP 00000000774d0220 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077372b80 5 bytes JMP 00000000774d0250 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077371360 5 bytes JMP 00000000774d0368 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773713b0 5 bytes JMP 00000000774d0360 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000773714e0 5 bytes JMP 00000000774d0358 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077371510 5 bytes JMP 00000000774d02c8 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077371560 5 bytes JMP 00000000774d0370 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077371570 1 byte JMP 00000000774d0300 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 0000000077371572 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077371620 5 bytes JMP 00000000774d02a0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077371650 5 bytes JMP 00000000774d02e8 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077371670 5 bytes JMP 00000000774d02d8 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773716b0 5 bytes JMP 00000000774d0280 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077371730 5 bytes JMP 00000000774d0278 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077371750 5 bytes JMP 00000000774d0298 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077371790 5 bytes JMP 00000000774d02f0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773717d0 5 bytes JMP 00000000774d0338 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773717e0 5 bytes JMP 00000000774d0308 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077371940 5 bytes JMP 00000000774d0228 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077371b00 5 bytes JMP 00000000774d0378 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077371b30 5 bytes JMP 00000000774d02e0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077371c10 5 bytes JMP 00000000774d0288 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077371c20 5 bytes JMP 00000000774d02b8 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077371c80 5 bytes JMP 00000000774d0258 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077371d10 5 bytes JMP 00000000774d0268 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077371d30 5 bytes JMP 00000000774d02f8 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077371d40 5 bytes JMP 00000000774d02a8 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077371db0 5 bytes JMP 00000000774d0320 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077371de0 5 bytes JMP 00000000774d0230 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077371f80 1 byte JMP 00000000774d0310 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 0000000077371f82 3 bytes {JMP 0x15e390} .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773720a0 5 bytes JMP 00000000774d0200 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077372160 5 bytes JMP 00000000774d0238 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077372190 5 bytes JMP 00000000774d03d0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773721a0 5 bytes JMP 00000000774d03d8 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773721d0 5 bytes JMP 00000000774d0290 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773721e0 5 bytes JMP 00000000774d02c0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077372240 5 bytes JMP 00000000774d0260 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077372290 5 bytes JMP 00000000774d0270 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773722c0 5 bytes JMP 00000000774d02d0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773722d0 5 bytes JMP 00000000774d02b0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773725c0 1 byte JMP 00000000774d0350 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000773725c2 3 bytes {JMP 0x15dd90} .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077372720 5 bytes JMP 00000000774d0328 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773727c0 5 bytes JMP 00000000774d0240 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773727d0 5 bytes JMP 00000000774d0248 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773727e0 5 bytes JMP 00000000774d0318 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773729a0 5 bytes JMP 00000000774d0208 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773729b0 5 bytes JMP 00000000774d0218 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077372a20 5 bytes JMP 00000000774d0210 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077372a80 5 bytes JMP 00000000774d0330 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077372a90 5 bytes JMP 00000000774d0340 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077372aa0 5 bytes JMP 00000000774d0220 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077372b80 5 bytes JMP 00000000774d0250 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077371360 5 bytes JMP 00000000774d0368 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773713b0 5 bytes JMP 00000000774d0360 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000773714e0 5 bytes JMP 00000000774d0358 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077371510 5 bytes JMP 00000000774d02c8 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077371560 5 bytes JMP 00000000774d0370 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077371570 1 byte JMP 00000000774d0300 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 0000000077371572 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077371620 5 bytes JMP 00000000774d02a0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077371650 5 bytes JMP 00000000774d02e8 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077371670 5 bytes JMP 00000000774d02d8 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773716b0 5 bytes JMP 00000000774d0280 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077371730 5 bytes JMP 00000000774d0278 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077371750 5 bytes JMP 00000000774d0298 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077371790 5 bytes JMP 00000000774d02f0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773717d0 5 bytes JMP 00000000774d0338 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773717e0 5 bytes JMP 00000000774d0308 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077371940 5 bytes JMP 00000000774d0228 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077371b00 5 bytes JMP 00000000774d0378 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077371b30 5 bytes JMP 00000000774d02e0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077371c10 5 bytes JMP 00000000774d0288 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077371c20 5 bytes JMP 00000000774d02b8 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077371c80 5 bytes JMP 00000000774d0258 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077371d10 5 bytes JMP 00000000774d0268 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077371d30 5 bytes JMP 00000000774d02f8 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077371d40 5 bytes JMP 00000000774d02a8 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077371db0 5 bytes JMP 00000000774d0320 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077371de0 5 bytes JMP 00000000774d0230 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077371f80 1 byte JMP 00000000774d0310 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 0000000077371f82 3 bytes {JMP 0x15e390} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773720a0 5 bytes JMP 00000000774d0200 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077372160 5 bytes JMP 00000000774d0238 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077372190 5 bytes JMP 00000000774d03d0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773721a0 5 bytes JMP 00000000774d03d8 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773721d0 5 bytes JMP 00000000774d0290 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773721e0 5 bytes JMP 00000000774d02c0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077372240 5 bytes JMP 00000000774d0260 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077372290 5 bytes JMP 00000000774d0270 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773722c0 5 bytes JMP 00000000774d02d0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773722d0 5 bytes JMP 00000000774d02b0 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773725c0 1 byte JMP 00000000774d0350 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000773725c2 3 bytes {JMP 0x15dd90} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077372720 5 bytes JMP 00000000774d0328 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773727c0 5 bytes JMP 00000000774d0240 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773727d0 5 bytes JMP 00000000774d0248 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773727e0 5 bytes JMP 00000000774d0318 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773729a0 5 bytes JMP 00000000774d0208 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773729b0 5 bytes JMP 00000000774d0218 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077372a20 5 bytes JMP 00000000774d0210 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077372a80 5 bytes JMP 00000000774d0330 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077372a90 5 bytes JMP 00000000774d0340 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077372aa0 5 bytes JMP 00000000774d0220 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077372b80 5 bytes JMP 00000000774d0250 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077371360 5 bytes JMP 00000000774d0368 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773713b0 5 bytes JMP 00000000774d0360 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000773714e0 5 bytes JMP 00000000774d0358 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077371510 5 bytes JMP 00000000774d02c8 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077371560 5 bytes JMP 00000000774d0370 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077371570 1 byte JMP 00000000774d0300 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 0000000077371572 3 bytes {JMP 0x15ed90} .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077371620 5 bytes JMP 00000000774d02a0 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077371650 5 bytes JMP 00000000774d02e8 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077371670 5 bytes JMP 00000000774d02d8 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773716b0 5 bytes JMP 00000000774d0280 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077371730 5 bytes JMP 00000000774d0278 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077371750 5 bytes JMP 00000000774d0298 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077371790 5 bytes JMP 00000000774d02f0 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773717d0 5 bytes JMP 00000000774d0338 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773717e0 5 bytes JMP 00000000774d0308 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077371940 5 bytes JMP 00000000774d0228 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077371b00 5 bytes JMP 00000000774d0378 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077371b30 5 bytes JMP 00000000774d02e0 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077371c10 5 bytes JMP 00000000774d0288 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077371c20 5 bytes JMP 00000000774d02b8 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077371c80 5 bytes JMP 00000000774d0258 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077371d10 5 bytes JMP 00000000774d0268 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077371d30 5 bytes JMP 00000000774d02f8 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077371d40 5 bytes JMP 00000000774d02a8 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077371db0 5 bytes JMP 00000000774d0320 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077371de0 5 bytes JMP 00000000774d0230 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077371f80 1 byte JMP 00000000774d0310 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 0000000077371f82 3 bytes {JMP 0x15e390} .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773720a0 5 bytes JMP 00000000774d0200 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077372160 5 bytes JMP 00000000774d0238 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077372190 5 bytes JMP 00000000774d03d0 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773721a0 5 bytes JMP 00000000774d03d8 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773721d0 5 bytes JMP 00000000774d0290 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773721e0 5 bytes JMP 00000000774d02c0 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077372240 5 bytes JMP 00000000774d0260 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077372290 5 bytes JMP 00000000774d0270 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773722c0 5 bytes JMP 00000000774d02d0 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773722d0 5 bytes JMP 00000000774d02b0 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773725c0 1 byte JMP 00000000774d0350 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000773725c2 3 bytes {JMP 0x15dd90} .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077372720 5 bytes JMP 00000000774d0328 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773727c0 5 bytes JMP 00000000774d0240 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773727d0 5 bytes JMP 00000000774d0248 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773727e0 5 bytes JMP 00000000774d0318 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773729a0 5 bytes JMP 00000000774d0208 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773729b0 5 bytes JMP 00000000774d0218 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077372a20 5 bytes JMP 00000000774d0210 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077372a80 5 bytes JMP 00000000774d0330 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077372a90 5 bytes JMP 00000000774d0340 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077372aa0 5 bytes JMP 00000000774d0220 .text C:\Windows\system32\Dwm.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077372b80 5 bytes JMP 00000000774d0250 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077371360 5 bytes JMP 00000000774d0368 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773713b0 5 bytes JMP 00000000774d0360 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000773714e0 5 bytes JMP 00000000774d0358 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077371510 5 bytes JMP 00000000774d02c8 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077371560 5 bytes JMP 00000000774d0370 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077371570 1 byte JMP 00000000774d0300 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 0000000077371572 3 bytes {JMP 0x15ed90} .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077371620 5 bytes JMP 00000000774d02a0 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077371650 5 bytes JMP 00000000774d02e8 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077371670 5 bytes JMP 00000000774d02d8 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773716b0 5 bytes JMP 00000000774d0280 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077371730 5 bytes JMP 00000000774d0278 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077371750 5 bytes JMP 00000000774d0298 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077371790 5 bytes JMP 00000000774d02f0 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773717d0 5 bytes JMP 00000000774d0338 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773717e0 5 bytes JMP 00000000774d0308 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077371940 5 bytes JMP 00000000774d0228 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077371b00 5 bytes JMP 00000000774d0378 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077371b30 5 bytes JMP 00000000774d02e0 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077371c10 5 bytes JMP 00000000774d0288 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077371c20 5 bytes JMP 00000000774d02b8 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077371c80 5 bytes JMP 00000000774d0258 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077371d10 5 bytes JMP 00000000774d0268 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077371d30 5 bytes JMP 00000000774d02f8 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077371d40 5 bytes JMP 00000000774d02a8 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077371db0 5 bytes JMP 00000000774d0320 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077371de0 5 bytes JMP 00000000774d0230 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077371f80 1 byte JMP 00000000774d0310 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 0000000077371f82 3 bytes {JMP 0x15e390} .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773720a0 5 bytes JMP 00000000774d0200 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077372160 5 bytes JMP 00000000774d0238 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077372190 5 bytes JMP 00000000774d03d0 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773721a0 5 bytes JMP 00000000774d03d8 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773721d0 5 bytes JMP 00000000774d0290 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773721e0 5 bytes JMP 00000000774d02c0 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077372240 5 bytes JMP 00000000774d0260 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077372290 5 bytes JMP 00000000774d0270 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773722c0 5 bytes JMP 00000000774d02d0 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773722d0 5 bytes JMP 00000000774d02b0 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773725c0 1 byte JMP 00000000774d0350 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000773725c2 3 bytes {JMP 0x15dd90} .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077372720 5 bytes JMP 00000000774d0328 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773727c0 5 bytes JMP 00000000774d0240 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773727d0 5 bytes JMP 00000000774d0248 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773727e0 5 bytes JMP 00000000774d0318 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773729a0 5 bytes JMP 00000000774d0208 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773729b0 5 bytes JMP 00000000774d0218 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077372a20 5 bytes JMP 00000000774d0210 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077372a80 5 bytes JMP 00000000774d0330 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077372a90 5 bytes JMP 00000000774d0340 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077372aa0 5 bytes JMP 00000000774d0220 .text C:\Windows\Explorer.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077372b80 5 bytes JMP 00000000774d0250 .text C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe[2832] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter + 1 0000000077119b81 7 bytes [31, C0, C3, 90, 90, 90, 90] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2948] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000756e87b1 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\system32\wuauclt.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077345b60 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\wuauclt.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077371440 5 bytes JMP 0000000000020678 .text C:\Windows\system32\wuauclt.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077371530 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\wuauclt.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077371650 5 bytes JMP 0000000000020018 .text C:\Windows\system32\wuauclt.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773716b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\wuauclt.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077371730 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\wuauclt.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773717d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\wuauclt.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077371c80 5 bytes JMP 0000000000020238 .text C:\Windows\system32\wuauclt.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077371d10 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\wuauclt.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077371d80 5 bytes JMP 0000000000020348 .text C:\Windows\system32\wuauclt.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077372240 5 bytes JMP 0000000000020458 .text C:\Windows\system32\wuauclt.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077372290 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\wuauclt.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000773c7700 5 bytes JMP 0000000000020568 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007751fad8 5 bytes JMP 00000000660534b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007751fc50 5 bytes JMP 0000000066052830 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007751fe14 5 bytes JMP 00000000660526c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007751fea8 5 bytes JMP 0000000066052c30 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007751ff74 5 bytes JMP 0000000066052ae0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077520068 5 bytes JMP 00000000660529d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007752079c 5 bytes JMP 0000000066052d70 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077520874 5 bytes JMP 0000000066053000 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007752091c 5 bytes JMP 0000000066053290 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077521078 5 bytes JMP 0000000066052ec0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000775210f0 5 bytes JMP 0000000066053150 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1384] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007753975f 5 bytes JMP 0000000066053420 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1384] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000775bfeed 5 bytes JMP 0000000066053340 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1384] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000756e87b1 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000774d1465 2 bytes [4D, 77] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774d14bb 2 bytes [4D, 77] .text ... * 2 .text C:\Users\Miecia\Downloads\xfqd4wwd.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007751fad8 5 bytes JMP 00000000660534b0 .text C:\Users\Miecia\Downloads\xfqd4wwd.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007751fc50 5 bytes JMP 0000000066052830 .text C:\Users\Miecia\Downloads\xfqd4wwd.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007751fe14 5 bytes JMP 00000000660526c0 .text C:\Users\Miecia\Downloads\xfqd4wwd.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007751fea8 5 bytes JMP 0000000066052c30 .text C:\Users\Miecia\Downloads\xfqd4wwd.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007751ff74 5 bytes JMP 0000000066052ae0 .text C:\Users\Miecia\Downloads\xfqd4wwd.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077520068 5 bytes JMP 00000000660529d0 .text C:\Users\Miecia\Downloads\xfqd4wwd.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007752079c 5 bytes JMP 0000000066052d70 .text C:\Users\Miecia\Downloads\xfqd4wwd.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077520874 5 bytes JMP 0000000066053000 .text C:\Users\Miecia\Downloads\xfqd4wwd.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007752091c 5 bytes JMP 0000000066053290 .text C:\Users\Miecia\Downloads\xfqd4wwd.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077521078 5 bytes JMP 0000000066052ec0 .text C:\Users\Miecia\Downloads\xfqd4wwd.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000775210f0 5 bytes JMP 0000000066053150 .text C:\Users\Miecia\Downloads\xfqd4wwd.exe[1288] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007753975f 5 bytes JMP 0000000066053420 .text C:\Users\Miecia\Downloads\xfqd4wwd.exe[1288] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000775bfeed 5 bytes JMP 0000000066053340 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IofCallDriver] [fffff88003d843e4] \SystemRoot\system32\drivers\aswSP.sys [.text] ---- Threads - GMER 2.2 ---- Thread C:\Windows\System32\svchost.exe [944:1176] 000007fefa4d59a0 Thread C:\Windows\System32\svchost.exe [944:2240] 000007fefcac1a70 Thread C:\Windows\System32\svchost.exe [944:2992] 000007fef93f44e0 Thread C:\Windows\System32\svchost.exe [944:2220] 000007fef99288f8 Thread C:\Windows\system32\svchost.exe [980:1492] 000007fef7610ea8 Thread C:\Windows\system32\svchost.exe [980:1500] 000007fef7609db0 Thread C:\Windows\system32\svchost.exe [980:1824] 000007fef7611c94 Thread C:\Windows\system32\svchost.exe [980:1948] 000007fef760aa10 Thread C:\Windows\system32\svchost.exe [1060:1104] 000007fefa8c341c Thread C:\Windows\system32\svchost.exe [1060:1112] 000007fefa8c3a2c Thread C:\Windows\system32\svchost.exe [1060:1116] 000007fefa8c3768 Thread C:\Windows\system32\svchost.exe [1060:1120] 000007fefa8c5c20 Thread C:\Windows\system32\svchost.exe [1060:1532] 000007fef98dbec4 Thread C:\Windows\system32\svchost.exe [1060:1908] 000007fefa8c3900 Thread C:\Windows\system32\svchost.exe [1060:1432] 000007fef84e5170 Thread C:\Program Files\ATKGFNEX\GFNEXSrv.exe [1204:1220] 0000000077553e85 Thread C:\Program Files\ATKGFNEX\GFNEXSrv.exe [1204:1228] 0000000076c97587 Thread C:\Windows\system32\taskhost.exe [1732:1888] 000007fef80d1f38 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters\Instup_14939186253312294@SetupOperations ????????3&267a616a&1????@oem2.inf,%atkkb%;Keyboard Device Filter?eyboards)??????????????????{4d36e97d-e325-11ce-bfc1-08002be10318}\0035??????????????????????s???2??????????{4d36e972-e325-11ce-bfc1-08002be10318}??Ne??{4d36e97d-e325-11ce-bfc1-08002be10318}???????????????????????????????????????i??LegacyDriver?C??????TD???????????????????e???????????e???y???????????t??4???{4d36e97d-e325-11ce-bfc1-08002be10318}?7??????X?????????????root\umbus??cr????X?????????????{4d36e97d-e325-11ce-bfc1-08002be10318}?&DE????X??????&???&??? $??????y?????r?p????N??????v?????Dt???{4d36e972-e325-11ce-bfc1-08002be10318}\0013??????????????i??????it?????????????????s?????????????????????????????????d???????????????-?????s?6????h????????g?????????????????????????????5???????????????/??????????????it??????{4d36e96e-e325-11ce-bfc1-08002be10318}?all??{4d36e96e-e325-11ce-bfc1-08002be10318}\0001????????????????????s?&???????????_???_??{4d36e972-e325-11ce-bfc1-08002be10318}\0009?00??? ???????e?????Res??{4d36e972-e325-11ce-bfc1-08002be10318}? ---- EOF - GMER 2.2 ----