GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-21 17:24:23 Windows 6.0.6002 Service Pack 2 x64 \Device\Harddisk0\DR0 -> \Device\00000051 Hitachi_ rev.FBEO 232,89GB Running: xyyzcpwu.exe; Driver: C:\Users\ADMIN\AppData\Local\Temp\aglorpod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960001b1400 3 bytes [80, 7C, 02] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 4 fffff960001b1404 3 bytes [C1, B6, FA] .text ... * 127 .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 380 fffff9600025bec0 6 bytes {JMP QWORD [RIP+0x4d0da]} ---- User code sections - GMER 2.1 ----clipbrd.exe .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 0000000149f90460 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 0000000149f90450 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 0000000149f90370 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 0000000149f90470 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 0000000149f903e0 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 0000000149f90320 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 0000000149f903b0 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 0000000149f90390 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 0000000149f902e0 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 0000000149f90440 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 0000000149f902d0 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 0000000149f90310 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0xffffffffd2909290} .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 0000000149f903c0 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 0000000149f903f0 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 0000000149f90230 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 0000000149f90480 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 0000000149f903a0 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 0000000149f902f0 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 0000000149f90350 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 0000000149f90290 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 0000000149f902b0 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 0000000149f903d0 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 0000000149f90330 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 0000000149f90410 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 0000000149f90240 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 0000000149f901e0 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 0000000149f90250 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 0000000149f90490 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 0000000149f904a0 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 0000000149f90300 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 0000000149f90360 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0xffffffffd2908890} .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 0000000149f902a0 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0xffffffffd2908790} .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 0000000149f902c0 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 0000000149f90380 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 0000000149f90340 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 0000000149f90260 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 0000000149f90270 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 0000000149f90400 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 0000000149f901f0 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 0000000149f90210 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 0000000149f90200 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 0000000149f90420 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 0000000149f90430 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 0000000149f90220 .text C:\Windows\system32\csrss.exe[1444] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 0000000149f90280 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 0000000149f90460 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 0000000149f90450 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 0000000149f90370 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 0000000149f90470 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 0000000149f903e0 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 0000000149f90320 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 0000000149f903b0 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 0000000149f90390 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 0000000149f902e0 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 0000000149f90440 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 0000000149f902d0 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 0000000149f90310 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0xffffffffd2909290} .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 0000000149f903c0 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 0000000149f903f0 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 0000000149f90230 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 0000000149f90480 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 0000000149f903a0 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 0000000149f902f0 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 0000000149f90350 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 0000000149f90290 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 0000000149f902b0 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 0000000149f903d0 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 0000000149f90330 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 0000000149f90410 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 0000000149f90240 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 0000000149f901e0 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 0000000149f90250 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 0000000149f90490 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 0000000149f904a0 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 0000000149f90300 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 0000000149f90360 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0xffffffffd2908890} .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 0000000149f902a0 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0xffffffffd2908790} .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 0000000149f902c0 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 0000000149f90380 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 0000000149f90340 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 0000000149f90260 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 0000000149f90270 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 0000000149f90400 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 0000000149f901f0 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 0000000149f90210 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 0000000149f90200 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 0000000149f90420 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 0000000149f90430 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 0000000149f90220 .text C:\Windows\system32\csrss.exe[1580] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 0000000149f90280 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 00000000777d0460 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 00000000777d0450 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 00000000777d0370 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 00000000777d0470 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 00000000777d03e0 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 00000000777d0320 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 00000000777d03b0 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 00000000777d0390 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 00000000777d02e0 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 00000000777d0440 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 00000000777d02d0 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 00000000777d0310 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0x149290} .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 00000000777d03c0 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 00000000777d03f0 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 00000000777d0230 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 00000000777d0480 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 00000000777d03a0 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 00000000777d02f0 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 00000000777d0350 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 00000000777d0290 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 00000000777d02b0 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 00000000777d03d0 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 00000000777d0330 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 00000000777d0410 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 00000000777d0240 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 00000000777d01e0 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 00000000777d0250 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 00000000777d0490 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 00000000777d04a0 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 00000000777d0300 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 00000000777d0360 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0x148890} .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 00000000777d02a0 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0x148790} .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 00000000777d02c0 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 00000000777d0380 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 00000000777d0340 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 00000000777d0260 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 00000000777d0270 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 00000000777d0400 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 00000000777d01f0 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 00000000777d0210 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 00000000777d0200 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 00000000777d0420 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 00000000777d0430 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 00000000777d0220 .text C:\Windows\system32\services.exe[1652] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 00000000777d0280 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 00000000777d0460 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 00000000777d0450 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 00000000777d0370 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 00000000777d0470 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 00000000777d03e0 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 00000000777d0320 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 00000000777d03b0 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 00000000777d0390 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 00000000777d02e0 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 00000000777d0440 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 00000000777d02d0 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 00000000777d0310 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0x149290} .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 00000000777d03c0 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 00000000777d03f0 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 00000000777d0230 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 00000000777d0480 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 00000000777d03a0 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 00000000777d02f0 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 00000000777d0350 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 00000000777d0290 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 00000000777d02b0 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 00000000777d03d0 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 00000000777d0330 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 00000000777d0410 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 00000000777d0240 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 00000000777d01e0 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 00000000777d0250 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 00000000777d0490 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 00000000777d04a0 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 00000000777d0300 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 00000000777d0360 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0x148890} .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 00000000777d02a0 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0x148790} .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 00000000777d02c0 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 00000000777d0380 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 00000000777d0340 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 00000000777d0260 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 00000000777d0270 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 00000000777d0400 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 00000000777d01f0 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 00000000777d0210 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 00000000777d0200 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 00000000777d0420 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 00000000777d0430 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 00000000777d0220 .text C:\Windows\system32\winlogon.exe[1708] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 00000000777d0280 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 0000000100060460 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 0000000100060450 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 0000000100060370 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 0000000100060470 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 00000001000603e0 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 0000000100060320 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 00000001000603b0 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 0000000100060390 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 00000001000602e0 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 0000000100060440 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 00000001000602d0 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 0000000100060310 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0xffffffff889d9290} .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 00000001000603c0 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 00000001000603f0 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 0000000100060230 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 0000000100060480 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 00000001000603a0 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 00000001000602f0 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 0000000100060350 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 0000000100060290 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 00000001000602b0 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 00000001000603d0 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 0000000100060330 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 0000000100060410 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 0000000100060240 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 00000001000601e0 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 0000000100060250 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 0000000100060490 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 00000001000604a0 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 0000000100060300 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 0000000100060360 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0xffffffff889d8890} .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 00000001000602a0 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0xffffffff889d8790} .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 00000001000602c0 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 0000000100060380 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 0000000100060340 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 0000000100060260 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 0000000100060270 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 0000000100060400 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 00000001000601f0 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 0000000100060210 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 0000000100060200 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 0000000100060420 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 0000000100060430 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 0000000100060220 .text C:\Windows\system32\lsass.exe[1764] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 0000000100060280 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 00000000777d0460 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 00000000777d0450 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 00000000777d0370 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 00000000777d0470 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 00000000777d03e0 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 00000000777d0320 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 00000000777d03b0 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 00000000777d0390 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 00000000777d02e0 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 00000000777d0440 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 00000000777d02d0 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 00000000777d0310 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0x149290} .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 00000000777d03c0 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 00000000777d03f0 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 00000000777d0230 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 00000000777d0480 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 00000000777d03a0 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 00000000777d02f0 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 00000000777d0350 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 00000000777d0290 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 00000000777d02b0 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 00000000777d03d0 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 00000000777d0330 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 00000000777d0410 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 00000000777d0240 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 00000000777d01e0 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 00000000777d0250 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 00000000777d0490 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 00000000777d04a0 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 00000000777d0300 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 00000000777d0360 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0x148890} .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 00000000777d02a0 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0x148790} .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 00000000777d02c0 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 00000000777d0380 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 00000000777d0340 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 00000000777d0260 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 00000000777d0270 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 00000000777d0400 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 00000000777d01f0 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 00000000777d0210 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 00000000777d0200 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 00000000777d0420 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 00000000777d0430 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 00000000777d0220 .text C:\Windows\system32\lsm.exe[1780] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 00000000777d0280 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 00000000777d0460 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 00000000777d0450 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 00000000777d0370 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 00000000777d0470 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 00000000777d03e0 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 00000000777d0320 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 00000000777d03b0 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 00000000777d0390 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 00000000777d02e0 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 00000000777d0440 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 00000000777d02d0 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 00000000777d0310 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0x149290} .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 00000000777d03c0 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 00000000777d03f0 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 00000000777d0230 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 00000000777d0480 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 00000000777d03a0 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 00000000777d02f0 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 00000000777d0350 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 00000000777d0290 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 00000000777d02b0 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 00000000777d03d0 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 00000000777d0330 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 00000000777d0410 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 00000000777d0240 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 00000000777d01e0 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 00000000777d0250 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 00000000777d0490 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 00000000777d04a0 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 00000000777d0300 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 00000000777d0360 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0x148890} .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 00000000777d02a0 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0x148790} .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 00000000777d02c0 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 00000000777d0380 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 00000000777d0340 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 00000000777d0260 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 00000000777d0270 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 00000000777d0400 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 00000000777d01f0 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 00000000777d0210 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 00000000777d0200 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 00000000777d0420 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 00000000777d0430 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 00000000777d0220 .text C:\Windows\system32\nvvsvc.exe[576] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 00000000777d0280 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 00000000777d0460 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 00000000777d0450 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 00000000777d0370 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 00000000777d0470 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 00000000777d03e0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 00000000777d0320 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 00000000777d03b0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 00000000777d0390 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 00000000777d02e0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 00000000777d0440 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 00000000777d02d0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 00000000777d0310 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0x149290} .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 00000000777d03c0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 00000000777d03f0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 00000000777d0230 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 00000000777d0480 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 00000000777d03a0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 00000000777d02f0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 00000000777d0350 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 00000000777d0290 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 00000000777d02b0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 00000000777d03d0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 00000000777d0330 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 00000000777d0410 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 00000000777d0240 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 00000000777d01e0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 00000000777d0250 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 00000000777d0490 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 00000000777d04a0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 00000000777d0300 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 00000000777d0360 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0x148890} .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 00000000777d02a0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0x148790} .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 00000000777d02c0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 00000000777d0380 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 00000000777d0340 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 00000000777d0260 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 00000000777d0270 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 00000000777d0400 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 00000000777d01f0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 00000000777d0210 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 00000000777d0200 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 00000000777d0420 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 00000000777d0430 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 00000000777d0220 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 00000000777d0280 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 00000000777d0460 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 00000000777d0450 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 00000000777d0370 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 00000000777d0470 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 00000000777d03e0 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 00000000777d0320 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 00000000777d03b0 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 00000000777d0390 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 00000000777d02e0 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 00000000777d0440 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 00000000777d02d0 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 00000000777d0310 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0x149290} .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 00000000777d03c0 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 00000000777d03f0 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 00000000777d0230 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 00000000777d0480 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 00000000777d03a0 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 00000000777d02f0 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 00000000777d0350 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 00000000777d0290 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 00000000777d02b0 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 00000000777d03d0 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 00000000777d0330 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 00000000777d0410 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 00000000777d0240 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 00000000777d01e0 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 00000000777d0250 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 00000000777d0490 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 00000000777d04a0 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 00000000777d0300 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 00000000777d0360 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0x148890} .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 00000000777d02a0 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0x148790} .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 00000000777d02c0 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 00000000777d0380 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 00000000777d0340 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 00000000777d0260 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 00000000777d0270 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 00000000777d0400 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 00000000777d01f0 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 00000000777d0210 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 00000000777d0200 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 00000000777d0420 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 00000000777d0430 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 00000000777d0220 .text C:\Windows\System32\svchost.exe[864] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 00000000777d0280 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 0000000100060460 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 0000000100060450 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 0000000100060370 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 0000000100060470 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 00000001000603e0 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 0000000100060320 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 00000001000603b0 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 0000000100060390 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 00000001000602e0 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 0000000100060440 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 00000001000602d0 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 0000000100060310 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0xffffffff889d9290} .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 00000001000603c0 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 00000001000603f0 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 0000000100060230 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 0000000100060480 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 00000001000603a0 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 00000001000602f0 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 0000000100060350 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 0000000100060290 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 00000001000602b0 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 00000001000603d0 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 0000000100060330 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 0000000100060410 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 0000000100060240 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 00000001000601e0 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 0000000100060250 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 0000000100060490 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 00000001000604a0 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 0000000100060300 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 0000000100060360 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0xffffffff889d8890} .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 00000001000602a0 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0xffffffff889d8790} .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 00000001000602c0 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 0000000100060380 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 0000000100060340 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 0000000100060260 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 0000000100060270 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 0000000100060400 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 00000001000601f0 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 0000000100060210 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 0000000100060200 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 0000000100060420 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 0000000100060430 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 0000000100060220 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 0000000100060280 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 00000000777d0460 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 00000000777d0450 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 00000000777d0370 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 00000000777d0470 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 00000000777d03e0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 00000000777d0320 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 00000000777d03b0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 00000000777d0390 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 00000000777d02e0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 00000000777d0440 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 00000000777d02d0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 00000000777d0310 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0x149290} .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 00000000777d03c0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 00000000777d03f0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 00000000777d0230 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 00000000777d0480 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 00000000777d03a0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 00000000777d02f0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 00000000777d0350 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 00000000777d0290 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 00000000777d02b0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 00000000777d03d0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 00000000777d0330 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 00000000777d0410 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 00000000777d0240 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 00000000777d01e0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 00000000777d0250 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 00000000777d0490 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 00000000777d04a0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 00000000777d0300 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 00000000777d0360 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0x148890} .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 00000000777d02a0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0x148790} .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 00000000777d02c0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 00000000777d0380 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 00000000777d0340 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 00000000777d0260 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 00000000777d0270 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 00000000777d0400 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 00000000777d01f0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 00000000777d0210 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 00000000777d0200 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 00000000777d0420 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 00000000777d0430 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 00000000777d0220 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 00000000777d0280 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 00000000777d0460 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 00000000777d0450 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 00000000777d0370 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 00000000777d0470 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 00000000777d03e0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 00000000777d0320 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 00000000777d03b0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 00000000777d0390 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 00000000777d02e0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 00000000777d0440 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 00000000777d02d0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 00000000777d0310 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0x149290} .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 00000000777d03c0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 00000000777d03f0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 00000000777d0230 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 00000000777d0480 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 00000000777d03a0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 00000000777d02f0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 00000000777d0350 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 00000000777d0290 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 00000000777d02b0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 00000000777d03d0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 00000000777d0330 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 00000000777d0410 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 00000000777d0240 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 00000000777d01e0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 00000000777d0250 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 00000000777d0490 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 00000000777d04a0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 00000000777d0300 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 00000000777d0360 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0x148890} .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 00000000777d02a0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0x148790} .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 00000000777d02c0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 00000000777d0380 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 00000000777d0340 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 00000000777d0260 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 00000000777d0270 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 00000000777d0400 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 00000000777d01f0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 00000000777d0210 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 00000000777d0200 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 00000000777d0420 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 00000000777d0430 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 00000000777d0220 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 00000000777d0280 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 00000000777d0460 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 00000000777d0450 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 00000000777d0370 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 00000000777d0470 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 00000000777d03e0 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 00000000777d0320 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 00000000777d03b0 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 00000000777d0390 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 00000000777d02e0 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 00000000777d0440 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 00000000777d02d0 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 00000000777d0310 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0x149290} .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 00000000777d03c0 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 00000000777d03f0 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 00000000777d0230 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 00000000777d0480 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 00000000777d03a0 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 00000000777d02f0 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 00000000777d0350 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 00000000777d0290 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 00000000777d02b0 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 00000000777d03d0 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 00000000777d0330 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 00000000777d0410 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 00000000777d0240 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 00000000777d01e0 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 00000000777d0250 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 00000000777d0490 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 00000000777d04a0 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 00000000777d0300 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 00000000777d0360 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0x148890} .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 00000000777d02a0 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0x148790} .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 00000000777d02c0 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 00000000777d0380 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 00000000777d0340 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 00000000777d0260 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 00000000777d0270 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 00000000777d0400 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 00000000777d01f0 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 00000000777d0210 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 00000000777d0200 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 00000000777d0420 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 00000000777d0430 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 00000000777d0220 .text C:\Windows\system32\AUDIODG.EXE[964] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 00000000777d0280 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 00000000777d0460 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 00000000777d0450 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 00000000777d0370 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 00000000777d0470 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 00000000777d03e0 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 00000000777d0320 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 00000000777d03b0 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 00000000777d0390 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 00000000777d02e0 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 00000000777d0440 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 00000000777d02d0 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 00000000777d0310 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0x149290} .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 00000000777d03c0 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 00000000777d03f0 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 00000000777d0230 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 00000000777d0480 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 00000000777d03a0 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 00000000777d02f0 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 00000000777d0350 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 00000000777d0290 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 00000000777d02b0 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 00000000777d03d0 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 00000000777d0330 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 00000000777d0410 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 00000000777d0240 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 00000000777d01e0 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 00000000777d0250 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 00000000777d0490 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 00000000777d04a0 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 00000000777d0300 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 00000000777d0360 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0x148890} .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 00000000777d02a0 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0x148790} .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 00000000777d02c0 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 00000000777d0380 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 00000000777d0340 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 00000000777d0260 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 00000000777d0270 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 00000000777d0400 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 00000000777d01f0 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 00000000777d0210 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 00000000777d0200 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 00000000777d0420 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 00000000777d0430 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 00000000777d0220 .text C:\Windows\system32\SLsvc.exe[1124] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 00000000777d0280 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 00000000777d0460 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 00000000777d0450 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 00000000777d0370 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 00000000777d0470 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 00000000777d03e0 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 00000000777d0320 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 00000000777d03b0 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 00000000777d0390 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 00000000777d02e0 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 00000000777d0440 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 00000000777d02d0 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 00000000777d0310 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0x149290} .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 00000000777d03c0 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 00000000777d03f0 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 00000000777d0230 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 00000000777d0480 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 00000000777d03a0 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 00000000777d02f0 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 00000000777d0350 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 00000000777d0290 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 00000000777d02b0 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 00000000777d03d0 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 00000000777d0330 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 00000000777d0410 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 00000000777d0240 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 00000000777d01e0 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 00000000777d0250 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 00000000777d0490 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 00000000777d04a0 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 00000000777d0300 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 00000000777d0360 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0x148890} .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 00000000777d02a0 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0x148790} .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 00000000777d02c0 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 00000000777d0380 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 00000000777d0340 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 00000000777d0260 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 00000000777d0270 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 00000000777d0400 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 00000000777d01f0 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 00000000777d0210 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 00000000777d0200 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 00000000777d0420 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 00000000777d0430 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 00000000777d0220 .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 00000000777d0280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 00000000777d0460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 00000000777d0450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 00000000777d0370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 00000000777d0470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 00000000777d03e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 00000000777d0320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 00000000777d03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 00000000777d0390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 00000000777d02e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 00000000777d0440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 00000000777d02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 00000000777d0310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0x149290} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 00000000777d03c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 00000000777d03f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 00000000777d0230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 00000000777d0480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 00000000777d03a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 00000000777d02f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 00000000777d0350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 00000000777d0290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 00000000777d02b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 00000000777d03d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 00000000777d0330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 00000000777d0410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 00000000777d0240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 00000000777d01e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 00000000777d0250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 00000000777d0490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 00000000777d04a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 00000000777d0300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 00000000777d0360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0x148890} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 00000000777d02a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0x148790} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 00000000777d02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 00000000777d0380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 00000000777d0340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 00000000777d0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 00000000777d0270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 00000000777d0400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 00000000777d01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 00000000777d0210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 00000000777d0200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 00000000777d0420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 00000000777d0430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 00000000777d0220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2384] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 00000000777d0280 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 00000000777d0460 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 00000000777d0450 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 00000000777d0370 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 00000000777d0470 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 00000000777d03e0 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 00000000777d0320 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 00000000777d03b0 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 00000000777d0390 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 00000000777d02e0 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 00000000777d0440 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 00000000777d02d0 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 00000000777d0310 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0x149290} .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 00000000777d03c0 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 00000000777d03f0 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 00000000777d0230 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 00000000777d0480 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 00000000777d03a0 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 00000000777d02f0 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 00000000777d0350 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 00000000777d0290 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 00000000777d02b0 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 00000000777d03d0 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 00000000777d0330 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 00000000777d0410 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 00000000777d0240 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 00000000777d01e0 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 00000000777d0250 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 00000000777d0490 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 00000000777d04a0 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 00000000777d0300 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 00000000777d0360 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0x148890} .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 00000000777d02a0 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0x148790} .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 00000000777d02c0 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 00000000777d0380 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 00000000777d0340 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 00000000777d0260 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 00000000777d0270 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 00000000777d0400 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 00000000777d01f0 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 00000000777d0210 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 00000000777d0200 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 00000000777d0420 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 00000000777d0430 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 00000000777d0220 .text C:\Windows\system32\nvvsvc.exe[2400] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 00000000777d0280 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 0000000100060460 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 0000000100060450 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 0000000100060370 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 0000000100060470 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 00000001000603e0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 0000000100060320 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 00000001000603b0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 0000000100060390 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 00000001000602e0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 0000000100060440 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 00000001000602d0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 0000000100060310 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0xffffffff889d9290} .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 00000001000603c0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 00000001000603f0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 0000000100060230 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 0000000100060480 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 00000001000603a0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 00000001000602f0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 0000000100060350 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 0000000100060290 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 00000001000602b0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 00000001000603d0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 0000000100060330 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 0000000100060410 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 0000000100060240 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 00000001000601e0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 0000000100060250 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 0000000100060490 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 00000001000604a0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 0000000100060300 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 0000000100060360 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0xffffffff889d8890} .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 00000001000602a0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0xffffffff889d8790} .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 00000001000602c0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 0000000100060380 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 0000000100060340 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 0000000100060260 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 0000000100060270 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 0000000100060400 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 00000001000601f0 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 0000000100060210 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 0000000100060200 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 0000000100060420 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 0000000100060430 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 0000000100060220 .text C:\Windows\system32\svchost.exe[2672] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 0000000100060280 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 00000000777d0460 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 00000000777d0450 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 00000000777d0370 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 00000000777d0470 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 00000000777d03e0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 00000000777d0320 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 00000000777d03b0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 00000000777d0390 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 00000000777d02e0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 00000000777d0440 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 00000000777d02d0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 00000000777d0310 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0x149290} .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 00000000777d03c0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 00000000777d03f0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 00000000777d0230 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 00000000777d0480 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 00000000777d03a0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 00000000777d02f0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 00000000777d0350 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 00000000777d0290 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 00000000777d02b0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 00000000777d03d0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 00000000777d0330 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 00000000777d0410 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 00000000777d0240 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 00000000777d01e0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 00000000777d0250 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 00000000777d0490 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 00000000777d04a0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 00000000777d0300 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 00000000777d0360 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0x148890} .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 00000000777d02a0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0x148790} .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 00000000777d02c0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 00000000777d0380 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 00000000777d0340 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 00000000777d0260 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 00000000777d0270 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 00000000777d0400 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 00000000777d01f0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 00000000777d0210 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 00000000777d0200 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 00000000777d0420 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 00000000777d0430 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 00000000777d0220 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 00000000777d0280 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 00000000777d0460 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 00000000777d0450 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 00000000777d0370 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 00000000777d0470 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 00000000777d03e0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 00000000777d0320 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 00000000777d03b0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 00000000777d0390 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 00000000777d02e0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 00000000777d0440 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 00000000777d02d0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 00000000777d0310 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0x149290} .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 00000000777d03c0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 00000000777d03f0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 00000000777d0230 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 00000000777d0480 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 00000000777d03a0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 00000000777d02f0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 00000000777d0350 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 00000000777d0290 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 00000000777d02b0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 00000000777d03d0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 00000000777d0330 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 00000000777d0410 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 00000000777d0240 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 00000000777d01e0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 00000000777d0250 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 00000000777d0490 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 00000000777d04a0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 00000000777d0300 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 00000000777d0360 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0x148890} .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 00000000777d02a0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0x148790} .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 00000000777d02c0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 00000000777d0380 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 00000000777d0340 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 00000000777d0260 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 00000000777d0270 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 00000000777d0400 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 00000000777d01f0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 00000000777d0210 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 00000000777d0200 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 00000000777d0420 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 00000000777d0430 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 00000000777d0220 .text C:\Windows\Explorer.EXE[1376] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 00000000777d0280 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePort 0000000077686c90 5 bytes JMP 0000000100070460 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtQueryObject 0000000077686ce0 5 bytes JMP 0000000100070450 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtOpenProcess 0000000077686e40 5 bytes JMP 0000000100070370 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077686e90 5 bytes JMP 0000000100070470 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077686ea0 5 bytes JMP 00000001000703e0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtOpenSection 0000000077686f50 5 bytes JMP 0000000100070320 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000077686f80 5 bytes JMP 00000001000703b0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtDuplicateObject 0000000077686fa0 5 bytes JMP 0000000100070390 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000077686fe0 5 bytes JMP 00000001000702e0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtQueueApcThread 0000000077687030 5 bytes JMP 0000000100070440 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000077687060 5 bytes JMP 00000001000702d0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtCreateSection 0000000077687080 1 byte JMP 0000000100070310 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtCreateSection + 2 0000000077687082 3 bytes {JMP 0xffffffff889e9290} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtCreateThread 00000000776870c0 5 bytes JMP 00000001000703c0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtTerminateThread 0000000077687110 5 bytes JMP 00000001000703f0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtAddBootEntry 0000000077687280 5 bytes JMP 0000000100070230 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077687430 5 bytes JMP 0000000100070480 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtAssignProcessToJobObject 0000000077687460 5 bytes JMP 00000001000703a0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtCreateEventPair 0000000077687550 5 bytes JMP 00000001000702f0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtCreateIoCompletion 0000000077687560 5 bytes JMP 0000000100070350 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000776875c0 5 bytes JMP 0000000100070290 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000077687640 5 bytes JMP 00000001000702b0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtCreateThreadEx 0000000077687660 5 bytes JMP 00000001000703d0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtCreateTimer 0000000077687670 5 bytes JMP 0000000100070330 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtDebugActiveProcess 00000000776876e0 5 bytes JMP 0000000100070410 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtDeleteBootEntry 0000000077687710 5 bytes JMP 0000000100070240 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtLoadDriver 00000000776879a0 5 bytes JMP 00000001000701e0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtModifyBootEntry 0000000077687a60 5 bytes JMP 0000000100070250 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtNotifyChangeKey 0000000077687a90 5 bytes JMP 0000000100070490 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077687aa0 5 bytes JMP 00000001000704a0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtOpenEventPair 0000000077687ac0 5 bytes JMP 0000000100070300 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion 0000000077687ad0 1 byte JMP 0000000100070360 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtOpenIoCompletion + 2 0000000077687ad2 3 bytes {JMP 0xffffffff889e8890} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000077687b10 1 byte JMP 00000001000702a0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtOpenMutant + 2 0000000077687b12 3 bytes {JMP 0xffffffff889e8790} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000077687b60 5 bytes JMP 00000001000702c0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtOpenThread 0000000077687b90 5 bytes JMP 0000000100070380 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtOpenTimer 0000000077687ba0 5 bytes JMP 0000000100070340 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtSetBootEntryOrder 0000000077688080 5 bytes JMP 0000000100070260 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtSetBootOptions 0000000077688090 5 bytes JMP 0000000100070270 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtSetContextThread 00000000776880a0 5 bytes JMP 0000000100070400 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtSetSystemInformation 0000000077688250 5 bytes JMP 00000001000701f0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtSetSystemPowerState 0000000077688260 5 bytes JMP 0000000100070210 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtShutdownSystem 00000000776882c0 5 bytes JMP 0000000100070200 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtSuspendProcess 0000000077688320 5 bytes JMP 0000000100070420 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtSuspendThread 0000000077688330 5 bytes JMP 0000000100070430 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtSystemDebugControl 0000000077688340 5 bytes JMP 0000000100070220 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4652] C:\Windows\system32\ntdll.dll!NtVdmControl 0000000077688410 5 bytes JMP 0000000100070280 ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{EA5B4F6E-F5E4-48D9-9367-602928A95732}\mpengine.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [864] (Microsoft Malware Protection Engine/Microsoft Corporation)(2015-08-20 19:52:05) 000007fefa870000 ---- EOF - GMER 2.1 ----