GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-21 09:41:18 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000060 ST310005 rev.CC46 931,51GB Running: gmer.exe; Driver: C:\Users\POLOWI~1\AppData\Local\Temp\pwryqkod.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0xffffffff8885e890} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0xffffffff8885e590} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0xffffffff8885e090} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 00000001001204a0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000100040460 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000100040450 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000100040370 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000100040470 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 00000001000403e0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000100040320 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 00000001000403b0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000100040390 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 00000001000402e0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 00000001000402d0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000100040310 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 00000001000403c0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 00000001000403f0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000100040230 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0xffffffff8877e890} .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000100040480 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 00000001000403a0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 00000001000402f0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000100040350 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000100040290 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 00000001000402b0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 00000001000403d0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000100040330 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0xffffffff8877e590} .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000100040410 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000100040240 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 00000001000401e0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000100040250 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0xffffffff8877e090} .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000100040490 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 00000001000404a0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000100040300 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000100040360 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 00000001000402a0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 00000001000402c0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000100040380 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000100040340 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000100040440 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000100040260 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000100040270 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000100040400 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 00000001000401f0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000100040210 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000100040200 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000100040420 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000100040430 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000100040220 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000100040280 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0xffffffff8885e890} .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0xffffffff8885e590} .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0xffffffff8885e090} .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 00000001001204a0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\system32\AUDIODG.EXE[344] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1308] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000100060460 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000100060450 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000100060370 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000100060470 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 00000001000603e0 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000100060320 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 00000001000603b0 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000100060390 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 00000001000602e0 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 00000001000602d0 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000100060310 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 00000001000603c0 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 00000001000603f0 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000100060230 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0xffffffff8879e890} .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000100060480 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 00000001000603a0 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 00000001000602f0 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000100060350 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000100060290 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 00000001000602b0 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 00000001000603d0 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000100060330 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0xffffffff8879e590} .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000100060410 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000100060240 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 00000001000601e0 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000100060250 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0xffffffff8879e090} .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000100060490 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 00000001000604a0 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000100060300 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000100060360 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 00000001000602a0 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 00000001000602c0 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000100060380 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000100060340 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000100060440 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000100060260 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000100060270 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000100060400 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 00000001000601f0 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000100060210 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000100060200 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000100060420 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000100060430 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000100060220 .text C:\Windows\system32\nvvsvc.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000100060280 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[2020] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000773a1465 2 bytes [3A, 77] .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[2020] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000773a14bb 2 bytes [3A, 77] .text ... * 2 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\System32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\system32\svchost.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0xffffffff887ae890} .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0xffffffff887ae590} .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0xffffffff887ae090} .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\SearchIndexer.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\system32\taskhost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\system32\Dwm.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\Explorer.EXE[2952] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Programy\Steam\Steam.exe[1136] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000773a1465 2 bytes [3A, 77] .text C:\Programy\Steam\Steam.exe[1136] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000773a14bb 2 bytes [3A, 77] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1900] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076f287c9 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Programy\Steam\bin\steamwebhelper.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773a1465 2 bytes [3A, 77] .text C:\Programy\Steam\bin\steamwebhelper.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773a14bb 2 bytes [3A, 77] .text ... * 2 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\System32\svchost.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3508] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773a1465 2 bytes [3A, 77] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[3508] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773a14bb 2 bytes [3A, 77] .text ... * 2 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0xffffffff887ae890} .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0xffffffff887ae590} .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0xffffffff887ae090} .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\notepad.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0xffffffff887ae890} .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0xffffffff887ae590} .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0xffffffff887ae090} .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\notepad.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20460 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20450 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778c1570 5 bytes JMP 0000000077a20370 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20470 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 0000000077a203e0 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778c16b0 5 bytes JMP 0000000077a203b0 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778c16d0 5 bytes JMP 0000000077a20390 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 5 bytes JMP 0000000077a203c0 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 5 bytes JMP 0000000077a203f0 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a20480 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778c1b90 5 bytes JMP 0000000077a203a0 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 5 bytes JMP 0000000077a203d0 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778c1e10 5 bytes JMP 0000000077a20410 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a20490 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a204a0 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778c2320 5 bytes JMP 0000000077a20380 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778c2620 5 bytes JMP 0000000077a20440 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 0000000077a20400 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778c2ae0 5 bytes JMP 0000000077a20420 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778c2af0 5 bytes JMP 0000000077a20430 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Windows\system32\notepad.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010d7e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010d7c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010d8614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010d8a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010d886c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80051c12c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80051c12c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80051c12c0 Device \FileSystem\Ntfs \Ntfs fffffa8005ae42c0 Device \Driver\nvstor \Device\00000060 fffffa80051c32c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8006c2f2c0 Device \Driver\nvstor \Device\RaidPort0 fffffa80051c32c0 Device \Driver\cdrom \Device\CdRom0 fffffa8005e162c0 Device \Driver\nvstor \Device\RaidPort1 fffffa80051c32c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8006c1d2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8006c2f2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{092C532A-857C-42E2-890E-EAE8E17DB3CB} fffffa8006bb12c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8006bb12c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80051c12c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8006c1d2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80051c12c0 Device \Driver\nvstor \Device\ScsiPort2 fffffa80051c32c0 Device \Driver\nvstor \Device\ScsiPort3 fffffa80051c32c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80051c32c0]<< sptd.sys storport.sys hal.dll nvstor.sys fffffa80051c32c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005dfa060] fffffa8005dfa060 Trace 3 CLASSPNP.SYS[fffff8800181743f] -> nt!IofCallDriver -> [0xfffffa8005cb0e40] fffffa8005cb0e40 Trace 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\00000060[0xfffffa8005bb4060] fffffa8005bb4060 Trace \Driver\nvstor[0xfffffa8005bb25b0] -> IRP_MJ_CREATE -> 0xfffffa80051c32c0 fffffa80051c32c0 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [656:1116] 000007fefbb82ab8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [656:1432] 000007fef584d618 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x68 0x05 0x32 0x76 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programy\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x83 0x0B 0x73 0x80 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x68 0x05 0x32 0x76 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programy\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x83 0x0B 0x73 0x80 ... ---- EOF - GMER 2.1 ----