GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-01-01 19:16:58 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3320620AS rev.3.AAK 298,09GB Running: jygqggls.exe; Driver: C:\Users\user\AppData\Local\Temp\aftcaaob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000149b50450 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0xffffffffd1eaf090} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000149b50440 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000149b50360 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000149b50460 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000149b503d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000149b50310 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0xffffffffd1eaec90} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000149b503a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000149b50380 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000149b502d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000149b502c0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000149b50300 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000149b503b0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000149b503e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000149b50220 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000149b50470 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000149b50390 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000149b502e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000149b50340 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000149b50280 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000149b502a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000149b503c0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000149b50320 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000149b50400 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000149b50230 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000149b501d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000149b50240 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000149b50480 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0xffffffffd1eae290} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000149b50490 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0xffffffffd1eae290} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000149b502f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000149b50350 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000149b50290 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000149b502b0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000149b50370 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000149b50330 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000149b50430 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000149b50250 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000149b50260 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000149b503f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000149b501e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000149b50200 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000149b501f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000149b50410 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000149b50420 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000149b50210 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000149b50270 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0xffffffffd1ead690} .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\wininit.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000149b50450 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0xffffffffd1eaf090} .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000149b50440 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000149b50360 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000149b50460 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000149b503d0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000149b50310 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0xffffffffd1eaec90} .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000149b503a0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000149b50380 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000149b502d0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000149b502c0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000149b50300 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000149b503b0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000149b503e0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000149b50220 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000149b50470 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000149b50390 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000149b502e0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000149b50340 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000149b50280 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000149b502a0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000149b503c0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000149b50320 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000149b50400 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000149b50230 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000149b501d0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000149b50240 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000149b50480 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0xffffffffd1eae290} .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000149b50490 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0xffffffffd1eae290} .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000149b502f0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000149b50350 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000149b50290 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000149b502b0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000149b50370 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000149b50330 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000149b50430 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000149b50250 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000149b50260 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000149b503f0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000149b501e0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000149b50200 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000149b501f0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000149b50410 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000149b50420 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000149b50210 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000149b50270 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0xffffffffd1ead690} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\nvvsvc.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0xffffffff883cf090} .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0xffffffff883cec90} .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0xffffffff883ce290} .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0xffffffff883ce290} .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0xffffffff883cd690} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\nvvsvc.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\System32\spoolsv.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\taskhost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1760] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000768b87b1 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\taskeng.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000000031465 2 bytes [03, 00] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000000314bb 2 bytes [03, 00] .text ... * 2 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\svchost.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\wbem\wmiprvse.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\SearchIndexer.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\SearchProtocolHost.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\SysWOW64\regsvr32.exe[3552] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 0000000077e4000c 1 byte [C3] .text C:\Windows\SysWOW64\regsvr32.exe[3552] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 0000000077ecf85a 5 bytes JMP 0000000177e7d571 .text C:\Windows\SysWOW64\regsvr32.exe[3552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077e01465 2 bytes [E0, 77] .text C:\Windows\SysWOW64\regsvr32.exe[3552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077e014bb 2 bytes [E0, 77] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4956] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000768b87b1 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077e01465 2 bytes [E0, 77] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077e014bb 2 bytes [E0, 77] .text ... * 2 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\system32\wbem\unsecapp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077ca13c0 1 byte JMP 0000000077e00450 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 2 0000000077ca13c2 3 bytes {JMP 0x15f090} .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ca1410 5 bytes JMP 0000000077e00440 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077ca1570 5 bytes JMP 0000000077e00360 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca15c0 5 bytes JMP 0000000077e00460 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca15d0 5 bytes JMP 0000000077e003d0 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca1680 1 byte JMP 0000000077e00310 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077ca1682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca16b0 5 bytes JMP 0000000077e003a0 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ca16d0 5 bytes JMP 0000000077e00380 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca1710 5 bytes JMP 0000000077e002d0 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca1790 5 bytes JMP 0000000077e002c0 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca17b0 5 bytes JMP 0000000077e00300 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca17f0 5 bytes JMP 0000000077e003b0 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca1840 5 bytes JMP 0000000077e003e0 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca19a0 5 bytes JMP 0000000077e00220 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca1b60 5 bytes JMP 0000000077e00470 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca1b90 5 bytes JMP 0000000077e00390 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca1c70 5 bytes JMP 0000000077e002e0 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca1c80 5 bytes JMP 0000000077e00340 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca1ce0 5 bytes JMP 0000000077e00280 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca1d70 5 bytes JMP 0000000077e002a0 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca1d90 5 bytes JMP 0000000077e003c0 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca1da0 5 bytes JMP 0000000077e00320 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca1e10 5 bytes JMP 0000000077e00400 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca1e40 5 bytes JMP 0000000077e00230 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca2100 5 bytes JMP 0000000077e001d0 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca21c0 5 bytes JMP 0000000077e00240 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca21f0 1 byte JMP 0000000077e00480 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ca21f2 3 bytes {JMP 0x15e290} .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca2200 1 byte JMP 0000000077e00490 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 2 0000000077ca2202 3 bytes {JMP 0x15e290} .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca2230 5 bytes JMP 0000000077e002f0 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca2240 5 bytes JMP 0000000077e00350 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca22a0 5 bytes JMP 0000000077e00290 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca22f0 5 bytes JMP 0000000077e002b0 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077ca2320 5 bytes JMP 0000000077e00370 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca2330 5 bytes JMP 0000000077e00330 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca2620 5 bytes JMP 0000000077e00430 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca2820 5 bytes JMP 0000000077e00250 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca2830 5 bytes JMP 0000000077e00260 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca2840 5 bytes JMP 0000000077e003f0 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca2a00 5 bytes JMP 0000000077e001e0 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca2a10 5 bytes JMP 0000000077e00200 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca2a80 5 bytes JMP 0000000077e001f0 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca2ae0 5 bytes JMP 0000000077e00410 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca2af0 5 bytes JMP 0000000077e00420 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca2b00 5 bytes JMP 0000000077e00210 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca2be0 1 byte JMP 0000000077e00270 .text C:\Windows\System32\svchost.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077ca2be2 3 bytes {JMP 0x15d690} .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5348] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e6c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5348] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e71217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5348] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077e01465 2 bytes [E0, 77] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5348] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077e014bb 2 bytes [E0, 77] .text ... * 2 .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[4796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077e01465 2 bytes [E0, 77] .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[4796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077e014bb 2 bytes [E0, 77] .text ... * 2 .text C:\Program Files\Internet Explorer\iexplore.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c73ae0 6 bytes {NOP ; JMP 0xffffffff8859cc7c} .text C:\Program Files\Internet Explorer\iexplore.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c77a90 6 bytes {NOP ; JMP 0xffffffff88598914} .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[524] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e6c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[524] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e71217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[524] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077e01465 2 bytes [E0, 77] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[524] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077e014bb 2 bytes [E0, 77] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\regsvr32.exe [3552:4288] 000000006788a962 ---- Processes - GMER 2.1 ---- Library C:\Users\user\AppData\Local\Style Food\{F4DA5E55-F70D-14E0-89F9-AF39563C79CE}\StyleFood.dll (*** suspicious ***) @ C:\Windows\SysWOW64\rundll32.exe [1840](2015-12-28 21:59:58) 00000000720e0000 Library C:\Users\user\AppData\Local\Style Food\{F4DA5E55-F70D-14E0-89F9-AF39563C79CE}\uyf.dll (*** suspicious ***) @ C:\Windows\SysWOW64\rundll32.exe [1848](2015-12-28 21:59:58) 00000000720f0000 Library C:\Users\user\AppData\Local\Style Food\{F4DA5E55-F70D-14E0-89F9-AF39563C79CE}\{3FD995F3-80F1-0A33-37FB-8F9C3CF0575F}.dat (*** suspicious ***) @ C:\Windows\SysWOW64\rundll32.exe [1848](2015-12-28 21:59:58) 0000000000410000 Library C:\Users\user\AppData\Local\Ehtion\frxnyvpt.dll (*** suspicious ***) @ C:\Windows\SysWOW64\regsvr32.exe [3552](2015-12-29 10:38:59) 0000000010000000 Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{00025441-CD9C-4AC3-8A83-B295ACBE3EC2}\offreg.6068.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [6068](2016-01-01 17:09:43) 000007fef78c0000 Process C:\Users\user\AppData\Local\Temp\nso9753.tmp (*** suspicious ***) @ C:\Users\user\AppData\Local\Temp\nso9753.tmp [1528](2016-01-01 17:15:47) 0000000000400000 Library C:\Users\user\AppData\Local\Temp\nstCFFC.tmp\System.dll (*** suspicious ***) @ C:\Users\user\AppData\Local\Temp\nso9753.tmp [1528] 0000000010000000 Library C:\Users\user\AppData\Local\Temp\nstCFFC.tmp\IpConfig.dll (*** suspicious ***) @ C:\Users\user\AppData\Local\Temp\nso9753.tmp [1528](2016-01-01 17:16:02) 00000000003d0000 Library C:\Users\user\AppData\Local\Temp\nstCFFC.tmp\nsJSON.dll (*** suspicious ***) @ C:\Users\user\AppData\Local\Temp\nso9753.tmp [1528] (nsJSON NSIS plug-in/Afrow Soft Ltd.)(2016-01-01 17:16:07) 00000000745f0000 Process C:\Users\user\AppData\Local\Temp\setup_ra.exe (*** suspicious ***) @ C:\Users\user\AppData\Local\Temp\setup_ra.exe [4568](2016-01-01 17:16: 0000000000400000 Library C:\Users\user\AppData\Local\Temp\nstF0E.tmp\System.dll (*** suspicious ***) @ C:\Users\user\AppData\Local\Temp\setup_ra.exe [4568] 0000000010000000 Library C:\Users\user\AppData\Local\Temp\nstF0E.tmp\IpConfig.dll (*** suspicious ***) @ C:\Users\user\AppData\Local\Temp\setup_ra.exe [4568](2016-01-01 17:16:18) 0000000000760000 Library C:\Users\user\AppData\Local\Temp\nstF0E.tmp\nsJSON.dll (*** suspicious ***) @ C:\Users\user\AppData\Local\Temp\setup_ra.exe [4568] (nsJSON NSIS plug-in/Afrow Soft Ltd.)(2016-01-01 17:16:20) 0000000074690000 Library C:\Users\user\AppData\Local\Temp\nstF0E.tmp\Registry.dll (*** suspicious ***) @ C:\Users\user\AppData\Local\Temp\setup_ra.exe [4568](2016-01-01 17:16:20) 0000000002c20000 ---- Files - GMER 2.1 ---- File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\35AB0H41\srv_14srvhost_com[2].json 2438 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS00716.log 1048576 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS00717.log 1048576 bytes ---- EOF - GMER 2.1 ----