GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-15 22:08:23 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000068 ST350041 rev.JC45 465,76GB Running: f9bed3pv.exe; Driver: C:\Users\9DEC~1\AppData\Local\Temp\axloruog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 000000014a340450 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 1 byte JMP 000000014a340440 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077a313b2 3 bytes {JMP 0xffffffffd290f090} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 000000014a340360 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 000000014a340460 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 000000014a3403d0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 000000014a340310 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 000000014a3403a0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 000000014a340380 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 000000014a3402d0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 000000014a3402c0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0xffffffffffffff92} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 000000014a340300 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 000000014a3403b0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 000000014a3403e0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 000000014a340220 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 000000014a340470 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 000000014a340390 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 000000014a3402e0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 000000014a340340 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 000000014a340280 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 000000014a3402a0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0xffffffffd290e590} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 000000014a3403c0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0xffffffffd290e690} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 000000014a340320 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 000000014a340400 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 000000014a340230 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 000000014a3401d0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 000000014a340240 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 000000014a340480 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 000000014a340490 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 000000014a3402f0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 000000014a340350 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 000000014a340290 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 000000014a3402b0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 000000014a340370 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 000000014a340330 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 000000014a340430 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 000000014a340250 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0xffffffffd290da90} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 000000014a340260 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0xffffffffd290da90} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 000000014a3403f0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 000000014a3401e0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 000000014a340200 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 000000014a3401f0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 1 byte JMP 000000014a340410 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077a32a82 3 bytes {JMP 0xffffffffd290d990} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 1 byte JMP 000000014a340420 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077a32a92 3 bytes {JMP 0xffffffffd290d990} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 000000014a340210 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 000000014a340270 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 000000014a340450 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 1 byte JMP 000000014a340440 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077a313b2 3 bytes {JMP 0xffffffffd290f090} .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 000000014a340360 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 000000014a340460 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 000000014a3403d0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 000000014a340310 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 000000014a3403a0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 000000014a340380 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 000000014a3402d0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 000000014a3402c0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0xffffffffffffff92} .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 000000014a340300 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 000000014a3403b0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 000000014a3403e0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 000000014a340220 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 000000014a340470 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 000000014a340390 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 000000014a3402e0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 000000014a340340 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 000000014a340280 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 000000014a3402a0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0xffffffffd290e590} .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 000000014a3403c0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0xffffffffd290e690} .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 000000014a340320 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 000000014a340400 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 000000014a340230 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 000000014a3401d0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 000000014a340240 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 000000014a340480 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 000000014a340490 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 000000014a3402f0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 000000014a340350 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 000000014a340290 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 000000014a3402b0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 000000014a340370 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 000000014a340330 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 000000014a340430 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 000000014a340250 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0xffffffffd290da90} .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 000000014a340260 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0xffffffffd290da90} .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 000000014a3403f0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 000000014a3401e0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 000000014a340200 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 000000014a3401f0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 1 byte JMP 000000014a340410 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077a32a82 3 bytes {JMP 0xffffffffd290d990} .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 1 byte JMP 000000014a340420 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077a32a92 3 bytes {JMP 0xffffffffd290d990} .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 000000014a340210 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 000000014a340270 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90450 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 1 byte JMP 0000000077b90440 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077a313b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90460 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b90470 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90400 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b90480 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b90490 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90430 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b903f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 1 byte JMP 0000000077b90410 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077a32a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 1 byte JMP 0000000077b90420 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077a32a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90450 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 1 byte JMP 0000000077b90440 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077a313b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90460 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b90470 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90400 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b90480 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b90490 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90430 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b903f0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 1 byte JMP 0000000077b90410 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077a32a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 1 byte JMP 0000000077b90420 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077a32a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90450 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 1 byte JMP 0000000077b90440 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077a313b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90460 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b90470 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90400 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b90480 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b90490 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90430 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b903f0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 1 byte JMP 0000000077b90410 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077a32a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 1 byte JMP 0000000077b90420 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077a32a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90450 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 1 byte JMP 0000000077b90440 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077a313b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90460 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b90470 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90400 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b90480 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b90490 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90430 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b903f0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 1 byte JMP 0000000077b90410 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077a32a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 1 byte JMP 0000000077b90420 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077a32a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90450 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 1 byte JMP 0000000077b90440 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077a313b2 3 bytes {JMP 0x15f090} .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90460 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b90470 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90400 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b90480 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b90490 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90430 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b903f0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 1 byte JMP 0000000077b90410 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077a32a82 3 bytes {JMP 0x15d990} .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 1 byte JMP 0000000077b90420 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077a32a92 3 bytes {JMP 0x15d990} .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 1 byte JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077a313b2 3 bytes {JMP 0xffffffff8863f090} .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x65} .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0xffffffff8863e590} .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0xffffffff8863e690} .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 00000001000701d0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0xffffffff8863da90} .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0xffffffff8863da90} .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 1 byte JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077a32a82 3 bytes {JMP 0xffffffff8863d990} .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 1 byte JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077a32a92 3 bytes {JMP 0xffffffff8863d990} .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90450 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 1 byte JMP 0000000077b90440 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077a313b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90460 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b90470 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90400 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b90480 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b90490 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90430 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b903f0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 1 byte JMP 0000000077b90410 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077a32a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 1 byte JMP 0000000077b90420 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077a32a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90450 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 1 byte JMP 0000000077b90440 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077a313b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90460 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b90470 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90400 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b90480 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b90490 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90430 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b903f0 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 1 byte JMP 0000000077b90410 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077a32a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 1 byte JMP 0000000077b90420 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077a32a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90450 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 1 byte JMP 0000000077b90440 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077a313b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90460 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b90470 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90400 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b90480 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b90490 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90430 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b903f0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 1 byte JMP 0000000077b90410 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077a32a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 1 byte JMP 0000000077b90420 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077a32a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90450 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 1 byte JMP 0000000077b90440 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077a313b2 3 bytes {JMP 0x15f090} .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90460 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b90470 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90400 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b90480 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b90490 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90430 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b903f0 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 1 byte JMP 0000000077b90410 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077a32a82 3 bytes {JMP 0x15d990} .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 1 byte JMP 0000000077b90420 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077a32a92 3 bytes {JMP 0x15d990} .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text C:\Windows\Explorer.EXE[1572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90450 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 1 byte JMP 0000000077b90440 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077a313b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90460 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b90470 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90400 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b90480 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b90490 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90430 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b903f0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 1 byte JMP 0000000077b90410 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077a32a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 1 byte JMP 0000000077b90420 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077a32a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000100070450 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 1 byte JMP 0000000100070440 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077a313b2 3 bytes {JMP 0xffffffff8863f090} .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000100070360 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000100070460 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000100070310 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000100070380 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 00000001000702c0 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x65} .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000100070300 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000100070220 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000100070470 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000100070390 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000100070340 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 00000001000702a0 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0xffffffff8863e590} .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 00000001000703c0 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0xffffffff8863e690} .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000100070320 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000100070240 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000100070480 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000100070290 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0xffffffff8863da90} .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000100070260 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0xffffffff8863da90} .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 1 byte JMP 0000000100070410 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077a32a82 3 bytes {JMP 0xffffffff8863d990} .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 1 byte JMP 0000000100070420 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077a32a92 3 bytes {JMP 0xffffffff8863d990} .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\SearchIndexer.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000100070270 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3408] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075bb8769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90450 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 1 byte JMP 0000000077b90440 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077a313b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90460 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b90470 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90400 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b90480 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b90490 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90430 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b903f0 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 1 byte JMP 0000000077b90410 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077a32a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 1 byte JMP 0000000077b90420 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077a32a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text C:\Windows\system32\AUDIODG.EXE[3368] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90450 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 1 byte JMP 0000000077b90440 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077a313b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90460 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b90470 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90400 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b90480 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b90490 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90430 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b903f0 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 1 byte JMP 0000000077b90410 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077a32a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 1 byte JMP 0000000077b90420 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077a32a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text C:\Windows\system32\NOTEPAD.EXE[4392] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90450 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 1 byte JMP 0000000077b90440 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000077a313b2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90460 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b90470 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90400 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b90480 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b90490 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90430 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b903f0 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 1 byte JMP 0000000077b90410 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000077a32a82 3 bytes {JMP 0x15d990} .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 1 byte JMP 0000000077b90420 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000077a32a92 3 bytes {JMP 0x15d990} .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text C:\Windows\system32\SearchProtocolHost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 ---- Threads - GMER 2.1 ---- Thread C:\Windows\syswow64\svchost.exe [1968:1972] 0000000000096980 Thread C:\Windows\syswow64\svchost.exe [1968:952] 0000000000092b00 Thread C:\Windows\syswow64\svchost.exe [1968:3612] 00000000000963f0 ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\\xa0\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware\Deinstalacja programu Malwarebytes Anti-Malware.lnk 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Desktop\!! WAZNE !!\atBIOS\setup.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Desktop\!! WAZNE !!\NOD32\nentenst.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Desktop\!! WAZNE !!\NOD32\NOD32.FiX.v2.1-nsane.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Desktop\!! WAZNE !!\K-Lite_Codec_Pack_640_Full(dobreprogramy.pl).exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Desktop\!! WAZNE !!\Office\setup.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Desktop\!! WAZNE !!\bsplayer256.1043_clip_[www.programosy.pl].exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Desktop\270.61-desktop-win7-winvista-64bit-international-whql.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\wlsetup-web.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\Firefox Setup 6.0.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\install_flash_player.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\burnaware_free.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\gg10,5.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\AdbeRdr1010_en_US.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\AdbeRdr1010_pl_PL.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\jre-6u26-windows-i586-iftw.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\GamersFirst_LIVE!_Setup_EN.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\tmnationsforever_setup.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\QuickTimeInstaller.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\Inkscape-0.48.2-1-win32(dobreprogramy.pl).exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\setup_av_free.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\K-Lite_Codec_Pack_800_Full.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\Real_Alternative_202_[www.programosy.pl].exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\ALLPlayerPL.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\LOLReplay-0.7.6.0.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\AppData\Local\Temp\setup.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\SkypeSetup.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\GoogleEarthPluginSetup.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\Install8BC.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Desktop\dsj_3_1.7.0_pl__klucz\DSJ 3 1.7.0 PL + KLUCZ_by Jarda\DSJ 3 1.7.0 PL\dsj3v170.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\Silverlight_x64.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\raidcall_v7.1.6.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\Nero-9.4.12.708_lite.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\setup.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\InstallHiRezGamesEnglish.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\setup (1).exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\audacity-win-2.0.3.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\dffsetup-lame_enc.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\dotNetFx45_Full_setup.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\Hearthstone-Beta-Setup-plPL.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\chromeinstall-7u40.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\eac-1.0beta3.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3BX30JVE\AdobeAIRInstaller.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WBGS7DGS\QuickTimeInstaller.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9SX0RUFT\AdobeAIRInstaller.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\Hearthstone-Setup-plPL.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\SteamSetup.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\\xa0\Downloads\OriginThinSetup (1).exe 1 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----