GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-14 01:27:01 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2 ST3250410AS rev.3.AAF 232,89GB Running: n7pps8p6.exe; Driver: C:\Users\Smoke\AppData\Local\Temp\kwddykow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 0000000149750450 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 0000000149750440 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0xffffffffd1edf090} .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 0000000149750360 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 0000000149750460 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000001497503d0 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 0000000149750310 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000001497503a0 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 0000000149750380 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000001497502d0 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000001497502c0 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0xffffffffffffffef} .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 0000000149750300 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000001497503b0 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000001497503e0 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 0000000149750220 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 0000000149750470 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 0000000149750390 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000001497502e0 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 0000000149750340 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 0000000149750280 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000001497502a0 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0xffffffffd1ede590} .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000001497503c0 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0xffffffffd1ede690} .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 0000000149750320 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 0000000149750400 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 0000000149750230 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000001497501d0 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 0000000149750240 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 0000000149750480 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 0000000149750490 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000001497502f0 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 0000000149750350 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 0000000149750290 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000001497502b0 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 0000000149750370 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 0000000149750330 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 0000000149750430 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 0000000149750250 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0xffffffffd1edda90} .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 0000000149750260 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0xffffffffd1edda90} .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000001497503f0 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000001497501e0 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 0000000149750200 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000001497501f0 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 0000000149750410 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0xffffffffd1edd990} .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 0000000149750420 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0xffffffffd1edd990} .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 0000000149750210 .text C:\Windows\system32\csrss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 0000000149750270 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 00000000779d0440 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000000779d02c0 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x17} .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000000779d02a0 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000000779d03c0 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000000779d01d0 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 00000000779d0250 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 00000000779d0260 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 00000000779d0410 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 00000000779d0420 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\wininit.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 0000000149750450 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 0000000149750440 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0xffffffffd1edf090} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 0000000149750360 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 0000000149750460 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000001497503d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 0000000149750310 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000001497503a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 0000000149750380 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000001497502d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000001497502c0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0xffffffffffffffef} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 0000000149750300 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000001497503b0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000001497503e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 0000000149750220 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 0000000149750470 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 0000000149750390 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000001497502e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 0000000149750340 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 0000000149750280 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000001497502a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0xffffffffd1ede590} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000001497503c0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0xffffffffd1ede690} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 0000000149750320 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 0000000149750400 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 0000000149750230 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000001497501d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 0000000149750240 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 0000000149750480 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 0000000149750490 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000001497502f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 0000000149750350 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 0000000149750290 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000001497502b0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 0000000149750370 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 0000000149750330 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 0000000149750430 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 0000000149750250 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0xffffffffd1edda90} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 0000000149750260 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0xffffffffd1edda90} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000001497503f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000001497501e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 0000000149750200 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000001497501f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 0000000149750410 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0xffffffffd1edd990} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 0000000149750420 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0xffffffffd1edd990} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 0000000149750210 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 0000000149750270 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 00000000779d0440 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000000779d02c0 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x17} .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000000779d02a0 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000000779d03c0 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000000779d01d0 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 00000000779d0250 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 00000000779d0260 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 00000000779d0410 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 00000000779d0420 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\services.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 00000000779d0440 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000000779d02c0 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x17} .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000000779d02a0 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000000779d03c0 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000000779d01d0 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 00000000779d0250 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 00000000779d0260 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 00000000779d0410 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 00000000779d0420 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\winlogon.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 00000000779d0440 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000000779d02c0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x17} .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000000779d02a0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000000779d03c0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000000779d01d0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 00000000779d0250 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 00000000779d0260 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 00000000779d0410 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 00000000779d0420 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\lsass.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 00000000779d0440 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000000779d02c0 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x17} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000000779d02a0 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000000779d03c0 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000000779d01d0 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 00000000779d0250 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 00000000779d0260 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 00000000779d0410 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 00000000779d0420 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 00000000779d0440 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000000779d02c0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x17} .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000000779d02a0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000000779d03c0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000000779d01d0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 00000000779d0250 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 00000000779d0260 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 00000000779d0410 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 00000000779d0420 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 00000000779d0440 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000000779d02c0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x17} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000000779d02a0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000000779d03c0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000000779d01d0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 00000000779d0250 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 00000000779d0260 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 00000000779d0410 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 00000000779d0420 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 00000000779d0270 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0xffffffff887ff090} .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x81} .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0xffffffff887fe590} .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0xffffffff887fe690} .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000001000701d0 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0xffffffff887fda90} .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0xffffffff887fda90} .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0xffffffff887fd990} .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0xffffffff887fd990} .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 00000000779d0450 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 00000000779d0440 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0x15f090} .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 00000000779d0360 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 00000000779d0460 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000000779d03d0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 00000000779d0310 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000000779d03a0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 00000000779d0380 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000000779d02d0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000000779d02c0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x17} .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 00000000779d0300 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000000779d03b0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000000779d03e0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 00000000779d0220 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 00000000779d0470 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 00000000779d0390 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000000779d02e0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 00000000779d0340 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 00000000779d0280 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000000779d02a0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000000779d03c0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0x15e690} .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 00000000779d0320 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 00000000779d0400 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 00000000779d0230 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000000779d01d0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 00000000779d0240 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 00000000779d0480 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 00000000779d0490 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000000779d02f0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 00000000779d0350 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 00000000779d0290 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000000779d02b0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 00000000779d0370 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 00000000779d0330 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 00000000779d0430 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 00000000779d0250 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0x15da90} .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 00000000779d0260 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0x15da90} .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 00000000779d0200 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000000779d01f0 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 00000000779d0410 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0x15d990} .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 00000000779d0420 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0x15d990} .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 00000000779d0210 .text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 00000000779d0440 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000000779d02c0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x17} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000000779d02a0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000000779d03c0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000000779d01d0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 00000000779d0250 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 00000000779d0260 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 00000000779d0410 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 00000000779d0420 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 00000000779d0440 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000000779d02c0 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x17} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000000779d02a0 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000000779d03c0 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000000779d01d0 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 00000000779d0250 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 00000000779d0260 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 00000000779d0410 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 00000000779d0420 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0xffffffff887ff090} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x81} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0xffffffff887fe590} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0xffffffff887fe690} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0xffffffff887fda90} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0xffffffff887fda90} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0xffffffff887fd990} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0xffffffff887fd990} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 0000000100070270 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 00000000779d0450 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 00000000779d0440 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0x15f090} .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 00000000779d0360 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 00000000779d0460 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000000779d03d0 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 00000000779d0310 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000000779d03a0 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 00000000779d0380 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000000779d02d0 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000000779d02c0 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x17} .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 00000000779d0300 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000000779d03b0 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000000779d03e0 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 00000000779d0220 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 00000000779d0470 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 00000000779d0390 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000000779d02e0 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 00000000779d0340 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 00000000779d0280 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000000779d02a0 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000000779d03c0 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0x15e690} .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 00000000779d0320 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 00000000779d0400 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 00000000779d0230 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000000779d01d0 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 00000000779d0240 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 00000000779d0480 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 00000000779d0490 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000000779d02f0 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 00000000779d0350 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 00000000779d0290 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000000779d02b0 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 00000000779d0370 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 00000000779d0330 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 00000000779d0430 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 00000000779d0250 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0x15da90} .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 00000000779d0260 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0x15da90} .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 00000000779d0200 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000000779d01f0 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 00000000779d0410 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0x15d990} .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 00000000779d0420 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0x15d990} .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 00000000779d0210 .text C:\Windows\Explorer.EXE[1208] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 00000000779d0270 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 00000000779d0450 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 00000000779d0440 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0x15f090} .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 00000000779d0360 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 00000000779d0460 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000000779d03d0 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 00000000779d0310 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000000779d03a0 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 00000000779d0380 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000000779d02d0 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000000779d02c0 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x17} .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 00000000779d0300 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000000779d03b0 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000000779d03e0 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 00000000779d0220 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 00000000779d0470 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 00000000779d0390 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000000779d02e0 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 00000000779d0340 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 00000000779d0280 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000000779d02a0 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000000779d03c0 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0x15e690} .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 00000000779d0320 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 00000000779d0400 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 00000000779d0230 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000000779d01d0 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 00000000779d0240 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 00000000779d0480 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 00000000779d0490 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000000779d02f0 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 00000000779d0350 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 00000000779d0290 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000000779d02b0 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 00000000779d0370 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 00000000779d0330 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 00000000779d0430 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 00000000779d0250 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0x15da90} .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 00000000779d0260 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0x15da90} .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 00000000779d0200 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000000779d01f0 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 00000000779d0410 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0x15d990} .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 00000000779d0420 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0x15d990} .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 00000000779d0210 .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 00000000779d0440 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000000779d02c0 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x17} .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000000779d02a0 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000000779d03c0 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000000779d01d0 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 00000000779d0250 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 00000000779d0260 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 00000000779d0410 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 00000000779d0420 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\taskhost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 00000000779d0440 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000000779d02c0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x17} .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000000779d02a0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000000779d03c0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000000779d01d0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 00000000779d0250 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 00000000779d0260 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 00000000779d0410 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 00000000779d0420 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0xffffffff887ff090} .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x81} .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0xffffffff887fe590} .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0xffffffff887fe690} .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0xffffffff887fda90} .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0xffffffff887fda90} .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0xffffffff887fd990} .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0xffffffff887fd990} .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 0000000100070270 ? C:\Windows\system32\mssprxy.dll [1868] entry point in ".rdata" section 00000000737f71e6 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 00000000779d0440 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000000779d02c0 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x17} .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000000779d02a0 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000000779d03c0 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000000779d01d0 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 00000000779d0250 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 00000000779d0260 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 00000000779d0410 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 00000000779d0420 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\SearchIndexer.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 00000000779d0270 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0xffffffff887ff090} .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x81} .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0xffffffff887fe590} .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0xffffffff887fe690} .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000001000701d0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0xffffffff887fda90} .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0xffffffff887fda90} .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0xffffffff887fd990} .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0xffffffff887fd990} .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 0000000100070270 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[112] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000767a8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 00000000779d0450 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 00000000779d0440 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0x15f090} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 00000000779d0360 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 00000000779d0460 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000000779d03d0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 00000000779d0310 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000000779d03a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 00000000779d0380 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000000779d02d0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000000779d02c0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x17} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 00000000779d0300 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000000779d03b0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000000779d03e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 00000000779d0220 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 00000000779d0470 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 00000000779d0390 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000000779d02e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 00000000779d0340 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 00000000779d0280 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000000779d02a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0x15e590} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000000779d03c0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0x15e690} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 00000000779d0320 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 00000000779d0400 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 00000000779d0230 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000000779d01d0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 00000000779d0240 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 00000000779d0480 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 00000000779d0490 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000000779d02f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 00000000779d0350 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 00000000779d0290 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000000779d02b0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 00000000779d0370 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 00000000779d0330 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 00000000779d0430 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 00000000779d0250 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0x15da90} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 00000000779d0260 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0x15da90} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 00000000779d0200 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000000779d01f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 00000000779d0410 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0x15d990} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 00000000779d0420 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0x15d990} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 00000000779d0210 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 00000000779d0270 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0xffffffff887ff090} .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x81} .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0xffffffff887fe590} .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0xffffffff887fe690} .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000001000701d0 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0xffffffff887fda90} .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0xffffffff887fda90} .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0xffffffff887fd990} .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0xffffffff887fd990} .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 0000000100070270 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 00000000779d0440 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000000779d02c0 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x17} .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000000779d02a0 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000000779d03c0 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000000779d01d0 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 00000000779d0250 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 00000000779d0260 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 00000000779d0410 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 00000000779d0420 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\taskhost.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 00000000779d0270 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 0000000100070450 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 0000000100070440 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0xffffffff887ff090} .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 0000000100070360 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 0000000100070460 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000001000703d0 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 0000000100070310 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000001000703a0 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 0000000100070380 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000001000702d0 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000001000702c0 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x81} .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 0000000100070300 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000001000703b0 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000001000703e0 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 0000000100070220 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 0000000100070470 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 0000000100070390 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000001000702e0 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 0000000100070340 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 0000000100070280 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000001000702a0 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0xffffffff887fe590} .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000001000703c0 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0xffffffff887fe690} .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 0000000100070320 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 0000000100070400 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 0000000100070230 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000001000701d0 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 0000000100070240 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 0000000100070480 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 0000000100070490 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000001000702f0 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 0000000100070350 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 0000000100070290 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000001000702b0 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 0000000100070370 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 0000000100070330 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 0000000100070430 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 0000000100070250 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0xffffffff887fda90} .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 0000000100070260 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0xffffffff887fda90} .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000001000703f0 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000001000701e0 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 0000000100070200 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000001000701f0 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 0000000100070410 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0xffffffff887fd990} .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 0000000100070420 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0xffffffff887fd990} .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 0000000100070210 .text C:\Program Files (x86)\ShadowExplorer\sesvc.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 0000000100070270 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077871360 5 bytes JMP 00000000779d0450 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778713b0 1 byte JMP 00000000779d0440 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00000000778713b2 3 bytes {JMP 0x15f090} .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077871510 5 bytes JMP 00000000779d0360 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077871560 5 bytes JMP 00000000779d0460 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077871570 5 bytes JMP 00000000779d03d0 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077871620 5 bytes JMP 00000000779d0310 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077871650 5 bytes JMP 00000000779d03a0 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077871670 5 bytes JMP 00000000779d0380 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778716b0 5 bytes JMP 00000000779d02d0 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077871730 1 byte JMP 00000000779d02c0 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077871732 3 bytes {JMP 0x17} .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077871750 5 bytes JMP 00000000779d0300 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077871790 5 bytes JMP 00000000779d03b0 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778717e0 5 bytes JMP 00000000779d03e0 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077871940 5 bytes JMP 00000000779d0220 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077871b00 5 bytes JMP 00000000779d0470 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077871b30 5 bytes JMP 00000000779d0390 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077871c10 5 bytes JMP 00000000779d02e0 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077871c20 5 bytes JMP 00000000779d0340 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077871c80 5 bytes JMP 00000000779d0280 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077871d10 1 byte JMP 00000000779d02a0 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077871d12 3 bytes {JMP 0x15e590} .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077871d30 1 byte JMP 00000000779d03c0 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077871d32 3 bytes {JMP 0x15e690} .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077871d40 5 bytes JMP 00000000779d0320 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077871db0 5 bytes JMP 00000000779d0400 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077871de0 5 bytes JMP 00000000779d0230 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778720a0 5 bytes JMP 00000000779d01d0 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077872160 5 bytes JMP 00000000779d0240 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077872190 5 bytes JMP 00000000779d0480 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778721a0 5 bytes JMP 00000000779d0490 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778721d0 5 bytes JMP 00000000779d02f0 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778721e0 5 bytes JMP 00000000779d0350 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077872240 5 bytes JMP 00000000779d0290 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077872290 5 bytes JMP 00000000779d02b0 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778722c0 5 bytes JMP 00000000779d0370 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778722d0 5 bytes JMP 00000000779d0330 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778725c0 5 bytes JMP 00000000779d0430 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778727c0 1 byte JMP 00000000779d0250 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000778727c2 3 bytes {JMP 0x15da90} .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778727d0 1 byte JMP 00000000779d0260 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000778727d2 3 bytes {JMP 0x15da90} .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778727e0 5 bytes JMP 00000000779d03f0 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778729a0 5 bytes JMP 00000000779d01e0 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778729b0 5 bytes JMP 00000000779d0200 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077872a20 5 bytes JMP 00000000779d01f0 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077872a80 1 byte JMP 00000000779d0410 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077872a82 3 bytes {JMP 0x15d990} .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077872a90 1 byte JMP 00000000779d0420 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077872a92 3 bytes {JMP 0x15d990} .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077872aa0 5 bytes JMP 00000000779d0210 .text C:\Users\Smoke\Downloads\FRST64.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077872b80 5 bytes JMP 00000000779d0270 ---- EOF - GMER 2.1 ----