GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-02-09 20:10:19 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000070 ST950032 rev.0002 465,76GB Running: vpwxm3bc.exe; Driver: C:\Users\NIIESM~1\AppData\Local\Temp\kxddqaow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000185600 7 bytes [00, 66, F3, FF, 41, 70, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000185608 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007760da60 5 bytes JMP 000000014a120450 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007760dab0 1 byte JMP 000000014a120440 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007760dab2 3 bytes {JMP 0xffffffffd2b12990} .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007760dc10 5 bytes JMP 000000014a120360 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007760dc60 5 bytes JMP 000000014a120460 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007760dc70 5 bytes JMP 000000014a1203d0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007760dd20 5 bytes JMP 000000014a120310 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 000000014a1203a0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007760dd70 5 bytes JMP 000000014a120380 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007760ddb0 5 bytes JMP 000000014a1202d0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 1 byte JMP 000000014a1202c0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007760de32 3 bytes {JMP 0xffffffffd2b12490} .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007760de50 5 bytes JMP 000000014a120300 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007760de90 5 bytes JMP 000000014a1203b0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007760dee0 5 bytes JMP 000000014a1203e0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007760e040 5 bytes JMP 000000014a120220 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007760e200 5 bytes JMP 000000014a120470 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007760e230 5 bytes JMP 000000014a120390 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007760e310 5 bytes JMP 000000014a1202e0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007760e320 5 bytes JMP 000000014a120340 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 000000014a120280 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 1 byte JMP 000000014a1202a0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007760e412 3 bytes {JMP 0xffffffffd2b11e90} .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007760e430 1 byte JMP 000000014a1203c0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007760e432 3 bytes {JMP 0xffffffffd2b11f90} .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007760e440 5 bytes JMP 000000014a120320 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007760e4b0 5 bytes JMP 000000014a120400 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007760e4e0 5 bytes JMP 000000014a120230 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007760e7a0 5 bytes JMP 000000014a1201d0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007760e860 5 bytes JMP 000000014a120240 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007760e890 5 bytes JMP 000000014a120480 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007760e8a0 5 bytes JMP 000000014a120490 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007760e8d0 5 bytes JMP 000000014a1202f0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007760e8e0 5 bytes JMP 000000014a120350 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007760e940 5 bytes JMP 000000014a120290 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007760e990 5 bytes JMP 000000014a1202b0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007760e9c0 5 bytes JMP 000000014a120370 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007760e9d0 5 bytes JMP 000000014a120330 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007760ecc0 5 bytes JMP 000000014a120430 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007760eec0 1 byte JMP 000000014a120250 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007760eec2 3 bytes {JMP 0xffffffffd2b11390} .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007760eed0 1 byte JMP 000000014a120260 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007760eed2 3 bytes {JMP 0xffffffffd2b11390} .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007760eee0 5 bytes JMP 000000014a1203f0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007760f0a0 5 bytes JMP 000000014a1201e0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007760f0b0 5 bytes JMP 000000014a120200 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007760f120 5 bytes JMP 000000014a1201f0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007760f180 1 byte JMP 000000014a120410 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007760f182 3 bytes {JMP 0xffffffffd2b11290} .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007760f190 1 byte JMP 000000014a120420 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007760f192 3 bytes {JMP 0xffffffffd2b11290} .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007760f1a0 5 bytes JMP 000000014a120210 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007760f280 5 bytes JMP 000000014a120270 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007760da60 5 bytes JMP 0000000077770450 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007760dab0 1 byte JMP 0000000077770440 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007760dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007760dc10 5 bytes JMP 0000000077770360 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007760dc60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007760dc70 5 bytes JMP 00000000777703d0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007760dd20 5 bytes JMP 0000000077770310 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007760dd70 5 bytes JMP 0000000077770380 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007760ddb0 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 1 byte JMP 00000000777702c0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007760de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007760de50 5 bytes JMP 0000000077770300 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007760de90 5 bytes JMP 00000000777703b0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007760dee0 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007760e040 5 bytes JMP 0000000077770220 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007760e200 5 bytes JMP 0000000077770470 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007760e230 5 bytes JMP 0000000077770390 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007760e310 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007760e320 5 bytes JMP 0000000077770340 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000077770280 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 1 byte JMP 00000000777702a0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007760e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007760e430 1 byte JMP 00000000777703c0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007760e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007760e440 5 bytes JMP 0000000077770320 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007760e4b0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007760e4e0 5 bytes JMP 0000000077770230 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007760e7a0 5 bytes JMP 00000000777701d0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007760e860 5 bytes JMP 0000000077770240 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007760e890 5 bytes JMP 0000000077770480 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007760e8a0 5 bytes JMP 0000000077770490 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007760e8d0 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007760e8e0 5 bytes JMP 0000000077770350 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007760e940 5 bytes JMP 0000000077770290 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007760e990 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007760e9c0 5 bytes JMP 0000000077770370 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007760e9d0 5 bytes JMP 0000000077770330 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007760ecc0 5 bytes JMP 0000000077770430 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007760eec0 1 byte JMP 0000000077770250 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007760eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007760eed0 1 byte JMP 0000000077770260 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007760eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007760eee0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007760f0a0 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007760f0b0 5 bytes JMP 0000000077770200 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007760f120 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007760f180 1 byte JMP 0000000077770410 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007760f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007760f190 1 byte JMP 0000000077770420 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007760f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007760f1a0 5 bytes JMP 0000000077770210 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007760f280 5 bytes JMP 0000000077770270 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007760da60 5 bytes JMP 0000000077770450 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007760dab0 1 byte JMP 0000000077770440 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007760dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007760dc10 5 bytes JMP 0000000077770360 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007760dc60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007760dc70 5 bytes JMP 00000000777703d0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007760dd20 5 bytes JMP 0000000077770310 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007760dd70 5 bytes JMP 0000000077770380 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007760ddb0 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 1 byte JMP 00000000777702c0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007760de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007760de50 5 bytes JMP 0000000077770300 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007760de90 5 bytes JMP 00000000777703b0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007760dee0 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007760e040 5 bytes JMP 0000000077770220 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007760e200 5 bytes JMP 0000000077770470 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007760e230 5 bytes JMP 0000000077770390 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007760e310 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007760e320 5 bytes JMP 0000000077770340 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000077770280 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 1 byte JMP 00000000777702a0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007760e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007760e430 1 byte JMP 00000000777703c0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007760e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007760e440 5 bytes JMP 0000000077770320 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007760e4b0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007760e4e0 5 bytes JMP 0000000077770230 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007760e7a0 5 bytes JMP 00000000777701d0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007760e860 5 bytes JMP 0000000077770240 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007760e890 5 bytes JMP 0000000077770480 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007760e8a0 5 bytes JMP 0000000077770490 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007760e8d0 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007760e8e0 5 bytes JMP 0000000077770350 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007760e940 5 bytes JMP 0000000077770290 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007760e990 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007760e9c0 5 bytes JMP 0000000077770370 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007760e9d0 5 bytes JMP 0000000077770330 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007760ecc0 5 bytes JMP 0000000077770430 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007760eec0 1 byte JMP 0000000077770250 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007760eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007760eed0 1 byte JMP 0000000077770260 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007760eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007760eee0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007760f0a0 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007760f0b0 5 bytes JMP 0000000077770200 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007760f120 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007760f180 1 byte JMP 0000000077770410 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007760f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007760f190 1 byte JMP 0000000077770420 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007760f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007760f1a0 5 bytes JMP 0000000077770210 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007760f280 5 bytes JMP 0000000077770270 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007760da60 5 bytes JMP 0000000077770450 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007760dab0 1 byte JMP 0000000077770440 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007760dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007760dc10 5 bytes JMP 0000000077770360 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007760dc60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007760dc70 5 bytes JMP 00000000777703d0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007760dd20 5 bytes JMP 0000000077770310 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007760dd70 5 bytes JMP 0000000077770380 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007760ddb0 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 1 byte JMP 00000000777702c0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007760de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007760de50 5 bytes JMP 0000000077770300 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007760de90 5 bytes JMP 00000000777703b0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007760dee0 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007760e040 5 bytes JMP 0000000077770220 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007760e200 5 bytes JMP 0000000077770470 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007760e230 5 bytes JMP 0000000077770390 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007760e310 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007760e320 5 bytes JMP 0000000077770340 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000077770280 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 1 byte JMP 00000000777702a0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007760e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007760e430 1 byte JMP 00000000777703c0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007760e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007760e440 5 bytes JMP 0000000077770320 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007760e4b0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007760e4e0 5 bytes JMP 0000000077770230 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007760e7a0 5 bytes JMP 00000000777701d0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007760e860 5 bytes JMP 0000000077770240 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007760e890 5 bytes JMP 0000000077770480 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007760e8a0 5 bytes JMP 0000000077770490 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007760e8d0 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007760e8e0 5 bytes JMP 0000000077770350 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007760e940 5 bytes JMP 0000000077770290 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007760e990 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007760e9c0 5 bytes JMP 0000000077770370 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007760e9d0 5 bytes JMP 0000000077770330 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007760ecc0 5 bytes JMP 0000000077770430 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007760eec0 1 byte JMP 0000000077770250 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007760eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007760eed0 1 byte JMP 0000000077770260 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007760eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007760eee0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007760f0a0 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007760f0b0 5 bytes JMP 0000000077770200 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007760f120 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007760f180 1 byte JMP 0000000077770410 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007760f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007760f190 1 byte JMP 0000000077770420 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007760f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007760f1a0 5 bytes JMP 0000000077770210 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007760f280 5 bytes JMP 0000000077770270 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007760da60 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007760dab0 1 byte JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007760dab2 3 bytes {JMP 0xffffffff88a62990} .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007760dc10 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007760dc60 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007760dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007760dd20 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007760dd70 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007760ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 1 byte JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007760de32 3 bytes {JMP 0xffffffff88a62490} .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007760de50 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007760de90 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007760dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007760e040 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007760e200 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007760e230 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007760e310 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007760e320 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 1 byte JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007760e412 3 bytes {JMP 0xffffffff88a61e90} .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007760e430 1 byte JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007760e432 3 bytes {JMP 0xffffffff88a61f90} .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007760e440 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007760e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007760e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007760e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007760e860 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007760e890 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007760e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007760e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007760e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007760e940 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007760e990 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007760e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007760e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007760ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007760eec0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007760eec2 3 bytes {JMP 0xffffffff88a61390} .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007760eed0 1 byte JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007760eed2 3 bytes {JMP 0xffffffff88a61390} .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007760eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007760f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007760f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007760f120 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007760f180 1 byte JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007760f182 3 bytes {JMP 0xffffffff88a61290} .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007760f190 1 byte JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007760f192 3 bytes {JMP 0xffffffff88a61290} .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007760f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007760f280 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007760da60 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007760dab0 1 byte JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007760dab2 3 bytes {JMP 0xffffffff88a62990} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007760dc10 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007760dc60 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007760dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007760dd20 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007760dd70 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007760ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 1 byte JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007760de32 3 bytes {JMP 0xffffffff88a62490} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007760de50 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007760de90 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007760dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007760e040 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007760e200 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007760e230 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007760e310 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007760e320 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 1 byte JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007760e412 3 bytes {JMP 0xffffffff88a61e90} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007760e430 1 byte JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007760e432 3 bytes {JMP 0xffffffff88a61f90} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007760e440 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007760e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007760e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007760e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007760e860 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007760e890 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007760e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007760e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007760e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007760e940 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007760e990 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007760e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007760e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007760ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007760eec0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007760eec2 3 bytes {JMP 0xffffffff88a61390} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007760eed0 1 byte JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007760eed2 3 bytes {JMP 0xffffffff88a61390} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007760eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007760f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007760f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007760f120 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007760f180 1 byte JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007760f182 3 bytes {JMP 0xffffffff88a61290} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007760f190 1 byte JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007760f192 3 bytes {JMP 0xffffffff88a61290} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007760f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007760f280 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007760da60 5 bytes JMP 0000000077770450 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007760dab0 1 byte JMP 0000000077770440 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007760dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007760dc10 5 bytes JMP 0000000077770360 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007760dc60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007760dc70 5 bytes JMP 00000000777703d0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007760dd20 5 bytes JMP 0000000077770310 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007760dd70 5 bytes JMP 0000000077770380 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007760ddb0 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 1 byte JMP 00000000777702c0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007760de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007760de50 5 bytes JMP 0000000077770300 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007760de90 5 bytes JMP 00000000777703b0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007760dee0 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007760e040 5 bytes JMP 0000000077770220 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007760e200 5 bytes JMP 0000000077770470 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007760e230 5 bytes JMP 0000000077770390 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007760e310 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007760e320 5 bytes JMP 0000000077770340 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000077770280 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 1 byte JMP 00000000777702a0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007760e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007760e430 1 byte JMP 00000000777703c0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007760e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007760e440 5 bytes JMP 0000000077770320 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007760e4b0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007760e4e0 5 bytes JMP 0000000077770230 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007760e7a0 5 bytes JMP 00000000777701d0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007760e860 5 bytes JMP 0000000077770240 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007760e890 5 bytes JMP 0000000077770480 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007760e8a0 5 bytes JMP 0000000077770490 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007760e8d0 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007760e8e0 5 bytes JMP 0000000077770350 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007760e940 5 bytes JMP 0000000077770290 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007760e990 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007760e9c0 5 bytes JMP 0000000077770370 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007760e9d0 5 bytes JMP 0000000077770330 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007760ecc0 5 bytes JMP 0000000077770430 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007760eec0 1 byte JMP 0000000077770250 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007760eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007760eed0 1 byte JMP 0000000077770260 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007760eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007760eee0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007760f0a0 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007760f0b0 5 bytes JMP 0000000077770200 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007760f120 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007760f180 1 byte JMP 0000000077770410 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007760f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007760f190 1 byte JMP 0000000077770420 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007760f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007760f1a0 5 bytes JMP 0000000077770210 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007760f280 5 bytes JMP 0000000077770270 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007760da60 5 bytes JMP 0000000077770450 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007760dab0 1 byte JMP 0000000077770440 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007760dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007760dc10 5 bytes JMP 0000000077770360 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007760dc60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007760dc70 5 bytes JMP 00000000777703d0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007760dd20 5 bytes JMP 0000000077770310 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007760dd70 5 bytes JMP 0000000077770380 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007760ddb0 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 1 byte JMP 00000000777702c0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007760de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007760de50 5 bytes JMP 0000000077770300 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007760de90 5 bytes JMP 00000000777703b0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007760dee0 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007760e040 5 bytes JMP 0000000077770220 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007760e200 5 bytes JMP 0000000077770470 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007760e230 5 bytes JMP 0000000077770390 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007760e310 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007760e320 5 bytes JMP 0000000077770340 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000077770280 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 1 byte JMP 00000000777702a0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007760e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007760e430 1 byte JMP 00000000777703c0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007760e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007760e440 5 bytes JMP 0000000077770320 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007760e4b0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007760e4e0 5 bytes JMP 0000000077770230 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007760e7a0 5 bytes JMP 00000000777701d0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007760e860 5 bytes JMP 0000000077770240 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007760e890 5 bytes JMP 0000000077770480 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007760e8a0 5 bytes JMP 0000000077770490 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007760e8d0 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007760e8e0 5 bytes JMP 0000000077770350 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007760e940 5 bytes JMP 0000000077770290 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007760e990 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007760e9c0 5 bytes JMP 0000000077770370 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007760e9d0 5 bytes JMP 0000000077770330 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007760ecc0 5 bytes JMP 0000000077770430 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007760eec0 1 byte JMP 0000000077770250 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007760eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007760eed0 1 byte JMP 0000000077770260 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007760eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007760eee0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007760f0a0 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007760f0b0 5 bytes JMP 0000000077770200 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007760f120 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007760f180 1 byte JMP 0000000077770410 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007760f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007760f190 1 byte JMP 0000000077770420 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007760f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007760f1a0 5 bytes JMP 0000000077770210 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007760f280 5 bytes JMP 0000000077770270 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007760da60 5 bytes JMP 0000000077770450 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007760dab0 1 byte JMP 0000000077770440 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007760dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007760dc10 5 bytes JMP 0000000077770360 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007760dc60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007760dc70 5 bytes JMP 00000000777703d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007760dd20 5 bytes JMP 0000000077770310 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007760dd70 5 bytes JMP 0000000077770380 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007760ddb0 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 1 byte JMP 00000000777702c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007760de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007760de50 5 bytes JMP 0000000077770300 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007760de90 5 bytes JMP 00000000777703b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007760dee0 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007760e040 5 bytes JMP 0000000077770220 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007760e200 5 bytes JMP 0000000077770470 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007760e230 5 bytes JMP 0000000077770390 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007760e310 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007760e320 5 bytes JMP 0000000077770340 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000077770280 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 1 byte JMP 00000000777702a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007760e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007760e430 1 byte JMP 00000000777703c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007760e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007760e440 5 bytes JMP 0000000077770320 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007760e4b0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007760e4e0 5 bytes JMP 0000000077770230 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007760e7a0 5 bytes JMP 00000000777701d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007760e860 5 bytes JMP 0000000077770240 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007760e890 5 bytes JMP 0000000077770480 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007760e8a0 5 bytes JMP 0000000077770490 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007760e8d0 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007760e8e0 5 bytes JMP 0000000077770350 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007760e940 5 bytes JMP 0000000077770290 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007760e990 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007760e9c0 5 bytes JMP 0000000077770370 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007760e9d0 5 bytes JMP 0000000077770330 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007760ecc0 5 bytes JMP 0000000077770430 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007760eec0 1 byte JMP 0000000077770250 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007760eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007760eed0 1 byte JMP 0000000077770260 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007760eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007760eee0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007760f0a0 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007760f0b0 5 bytes JMP 0000000077770200 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007760f120 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007760f180 1 byte JMP 0000000077770410 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007760f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007760f190 1 byte JMP 0000000077770420 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007760f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007760f1a0 5 bytes JMP 0000000077770210 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007760f280 5 bytes JMP 0000000077770270 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007760da60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007760dab0 1 byte JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007760dab2 3 bytes {JMP 0xffffffff88a62990} .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007760dc10 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007760dc60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007760dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007760dd20 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007760dd70 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007760ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007760de32 3 bytes {JMP 0xffffffff88a62490} .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007760de50 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007760de90 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007760dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007760e040 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007760e200 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007760e230 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007760e310 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007760e320 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 1 byte JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007760e412 3 bytes {JMP 0xffffffff88a61e90} .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007760e430 1 byte JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007760e432 3 bytes {JMP 0xffffffff88a61f90} .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007760e440 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007760e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007760e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007760e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007760e860 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007760e890 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007760e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007760e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007760e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007760e940 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007760e990 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007760e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007760e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007760ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007760eec0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007760eec2 3 bytes {JMP 0xffffffff88a61390} .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007760eed0 1 byte JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007760eed2 3 bytes {JMP 0xffffffff88a61390} .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007760eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007760f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007760f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007760f120 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007760f180 1 byte JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007760f182 3 bytes {JMP 0xffffffff88a61290} .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007760f190 1 byte JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007760f192 3 bytes {JMP 0xffffffff88a61290} .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007760f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007760f280 5 bytes JMP 0000000100070270 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007760da60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007760dab0 1 byte JMP 0000000100070440 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007760dab2 3 bytes {JMP 0xffffffff88a62990} .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007760dc10 5 bytes JMP 0000000100070360 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007760dc60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007760dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007760dd20 5 bytes JMP 0000000100070310 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007760dd70 5 bytes JMP 0000000100070380 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007760ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007760de32 3 bytes {JMP 0xffffffff88a62490} .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007760de50 5 bytes JMP 0000000100070300 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007760de90 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007760dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007760e040 5 bytes JMP 0000000100070220 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007760e200 5 bytes JMP 0000000100070470 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007760e230 5 bytes JMP 0000000100070390 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007760e310 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007760e320 5 bytes JMP 0000000100070340 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000100070280 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 1 byte JMP 00000001000702a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007760e412 3 bytes {JMP 0xffffffff88a61e90} .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007760e430 1 byte JMP 00000001000703c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007760e432 3 bytes {JMP 0xffffffff88a61f90} .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007760e440 5 bytes JMP 0000000100070320 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007760e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007760e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007760e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007760e860 5 bytes JMP 0000000100070240 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007760e890 5 bytes JMP 0000000100070480 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007760e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007760e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007760e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007760e940 5 bytes JMP 0000000100070290 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007760e990 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007760e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007760e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007760ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007760eec0 1 byte JMP 0000000100070250 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007760eec2 3 bytes {JMP 0xffffffff88a61390} .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007760eed0 1 byte JMP 0000000100070260 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007760eed2 3 bytes {JMP 0xffffffff88a61390} .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007760eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007760f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007760f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007760f120 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007760f180 1 byte JMP 0000000100070410 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007760f182 3 bytes {JMP 0xffffffff88a61290} .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007760f190 1 byte JMP 0000000100070420 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007760f192 3 bytes {JMP 0xffffffff88a61290} .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007760f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\wbem\wmiprvse.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007760f280 5 bytes JMP 0000000100070270 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007760da60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007760dab0 1 byte JMP 0000000100070440 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007760dab2 3 bytes {JMP 0xffffffff88a62990} .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007760dc10 5 bytes JMP 0000000100070360 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007760dc60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007760dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007760dd20 5 bytes JMP 0000000100070310 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007760dd70 5 bytes JMP 0000000100070380 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007760ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007760de32 3 bytes {JMP 0xffffffff88a62490} .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007760de50 5 bytes JMP 0000000100070300 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007760de90 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007760dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007760e040 5 bytes JMP 0000000100070220 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007760e200 5 bytes JMP 0000000100070470 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007760e230 5 bytes JMP 0000000100070390 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007760e310 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007760e320 5 bytes JMP 0000000100070340 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000100070280 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 1 byte JMP 00000001000702a0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007760e412 3 bytes {JMP 0xffffffff88a61e90} .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007760e430 1 byte JMP 00000001000703c0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007760e432 3 bytes {JMP 0xffffffff88a61f90} .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007760e440 5 bytes JMP 0000000100070320 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007760e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007760e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007760e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007760e860 5 bytes JMP 0000000100070240 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007760e890 5 bytes JMP 0000000100070480 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007760e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007760e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007760e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007760e940 5 bytes JMP 0000000100070290 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007760e990 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007760e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007760e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007760ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007760eec0 1 byte JMP 0000000100070250 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007760eec2 3 bytes {JMP 0xffffffff88a61390} .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007760eed0 1 byte JMP 0000000100070260 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007760eed2 3 bytes {JMP 0xffffffff88a61390} .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007760eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007760f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007760f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007760f120 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007760f180 1 byte JMP 0000000100070410 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007760f182 3 bytes {JMP 0xffffffff88a61290} .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007760f190 1 byte JMP 0000000100070420 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007760f192 3 bytes {JMP 0xffffffff88a61290} .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007760f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007760f280 5 bytes JMP 0000000100070270 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007760da60 5 bytes JMP 000000014a120450 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007760dab0 1 byte JMP 000000014a120440 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007760dab2 3 bytes {JMP 0xffffffffd2b12990} .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007760dc10 5 bytes JMP 000000014a120360 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007760dc60 5 bytes JMP 000000014a120460 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007760dc70 5 bytes JMP 000000014a1203d0 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007760dd20 5 bytes JMP 000000014a120310 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 000000014a1203a0 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007760dd70 5 bytes JMP 000000014a120380 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007760ddb0 5 bytes JMP 000000014a1202d0 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 1 byte JMP 000000014a1202c0 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007760de32 3 bytes {JMP 0xffffffffd2b12490} .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007760de50 5 bytes JMP 000000014a120300 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007760de90 5 bytes JMP 000000014a1203b0 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007760dee0 5 bytes JMP 000000014a1203e0 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007760e040 5 bytes JMP 000000014a120220 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007760e200 5 bytes JMP 000000014a120470 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007760e230 5 bytes JMP 000000014a120390 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007760e310 5 bytes JMP 000000014a1202e0 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007760e320 5 bytes JMP 000000014a120340 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 000000014a120280 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 1 byte JMP 000000014a1202a0 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007760e412 3 bytes {JMP 0xffffffffd2b11e90} .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007760e430 1 byte JMP 000000014a1203c0 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007760e432 3 bytes {JMP 0xffffffffd2b11f90} .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007760e440 5 bytes JMP 000000014a120320 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007760e4b0 5 bytes JMP 000000014a120400 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007760e4e0 5 bytes JMP 000000014a120230 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007760e7a0 5 bytes JMP 000000014a1201d0 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007760e860 5 bytes JMP 000000014a120240 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007760e890 5 bytes JMP 000000014a120480 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007760e8a0 5 bytes JMP 000000014a120490 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007760e8d0 5 bytes JMP 000000014a1202f0 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007760e8e0 5 bytes JMP 000000014a120350 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007760e940 5 bytes JMP 000000014a120290 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007760e990 5 bytes JMP 000000014a1202b0 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007760e9c0 5 bytes JMP 000000014a120370 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007760e9d0 5 bytes JMP 000000014a120330 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007760ecc0 5 bytes JMP 000000014a120430 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007760eec0 1 byte JMP 000000014a120250 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007760eec2 3 bytes {JMP 0xffffffffd2b11390} .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007760eed0 1 byte JMP 000000014a120260 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007760eed2 3 bytes {JMP 0xffffffffd2b11390} .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007760eee0 5 bytes JMP 000000014a1203f0 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007760f0a0 5 bytes JMP 000000014a1201e0 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007760f0b0 5 bytes JMP 000000014a120200 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007760f120 5 bytes JMP 000000014a1201f0 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007760f180 1 byte JMP 000000014a120410 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007760f182 3 bytes {JMP 0xffffffffd2b11290} .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007760f190 1 byte JMP 000000014a120420 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007760f192 3 bytes {JMP 0xffffffffd2b11290} .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007760f1a0 5 bytes JMP 000000014a120210 .text C:\Windows\system32\csrss.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007760f280 5 bytes JMP 000000014a120270 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007760da60 5 bytes JMP 0000000077770450 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007760dab0 1 byte JMP 0000000077770440 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007760dab2 3 bytes {JMP 0x162990} .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007760dc10 5 bytes JMP 0000000077770360 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007760dc60 5 bytes JMP 0000000077770460 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007760dc70 5 bytes JMP 00000000777703d0 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007760dd20 5 bytes JMP 0000000077770310 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 00000000777703a0 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007760dd70 5 bytes JMP 0000000077770380 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007760ddb0 5 bytes JMP 00000000777702d0 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 1 byte JMP 00000000777702c0 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007760de32 3 bytes {JMP 0x162490} .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007760de50 5 bytes JMP 0000000077770300 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007760de90 5 bytes JMP 00000000777703b0 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007760dee0 5 bytes JMP 00000000777703e0 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007760e040 5 bytes JMP 0000000077770220 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007760e200 5 bytes JMP 0000000077770470 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007760e230 5 bytes JMP 0000000077770390 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007760e310 5 bytes JMP 00000000777702e0 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007760e320 5 bytes JMP 0000000077770340 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000077770280 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 1 byte JMP 00000000777702a0 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007760e412 3 bytes {JMP 0x161e90} .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007760e430 1 byte JMP 00000000777703c0 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007760e432 3 bytes {JMP 0x161f90} .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007760e440 5 bytes JMP 0000000077770320 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007760e4b0 5 bytes JMP 0000000077770400 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007760e4e0 5 bytes JMP 0000000077770230 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007760e7a0 5 bytes JMP 00000000777701d0 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007760e860 5 bytes JMP 0000000077770240 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007760e890 5 bytes JMP 0000000077770480 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007760e8a0 5 bytes JMP 0000000077770490 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007760e8d0 5 bytes JMP 00000000777702f0 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007760e8e0 5 bytes JMP 0000000077770350 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007760e940 5 bytes JMP 0000000077770290 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007760e990 5 bytes JMP 00000000777702b0 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007760e9c0 5 bytes JMP 0000000077770370 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007760e9d0 5 bytes JMP 0000000077770330 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007760ecc0 5 bytes JMP 0000000077770430 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007760eec0 1 byte JMP 0000000077770250 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007760eec2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007760eed0 1 byte JMP 0000000077770260 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007760eed2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007760eee0 5 bytes JMP 00000000777703f0 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007760f0a0 5 bytes JMP 00000000777701e0 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007760f0b0 5 bytes JMP 0000000077770200 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007760f120 5 bytes JMP 00000000777701f0 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007760f180 1 byte JMP 0000000077770410 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007760f182 3 bytes {JMP 0x161290} .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007760f190 1 byte JMP 0000000077770420 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007760f192 3 bytes {JMP 0x161290} .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007760f1a0 5 bytes JMP 0000000077770210 .text C:\Windows\Explorer.EXE[3372] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007760f280 5 bytes JMP 0000000077770270 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007760da60 5 bytes JMP 0000000077770450 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007760dab0 1 byte JMP 0000000077770440 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 000000007760dab2 3 bytes {JMP 0x162990} .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007760dc10 5 bytes JMP 0000000077770360 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007760dc60 5 bytes JMP 0000000077770460 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007760dc70 5 bytes JMP 00000000777703d0 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007760dd20 5 bytes JMP 0000000077770310 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 00000000777703a0 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007760dd70 5 bytes JMP 0000000077770380 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007760ddb0 5 bytes JMP 00000000777702d0 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 1 byte JMP 00000000777702c0 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007760de32 3 bytes {JMP 0x162490} .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007760de50 5 bytes JMP 0000000077770300 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007760de90 5 bytes JMP 00000000777703b0 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007760dee0 5 bytes JMP 00000000777703e0 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007760e040 5 bytes JMP 0000000077770220 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007760e200 5 bytes JMP 0000000077770470 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007760e230 5 bytes JMP 0000000077770390 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007760e310 5 bytes JMP 00000000777702e0 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007760e320 5 bytes JMP 0000000077770340 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000077770280 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 1 byte JMP 00000000777702a0 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007760e412 3 bytes {JMP 0x161e90} .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007760e430 1 byte JMP 00000000777703c0 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007760e432 3 bytes {JMP 0x161f90} .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007760e440 5 bytes JMP 0000000077770320 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007760e4b0 5 bytes JMP 0000000077770400 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007760e4e0 5 bytes JMP 0000000077770230 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007760e7a0 5 bytes JMP 00000000777701d0 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007760e860 5 bytes JMP 0000000077770240 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007760e890 5 bytes JMP 0000000077770480 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007760e8a0 5 bytes JMP 0000000077770490 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007760e8d0 5 bytes JMP 00000000777702f0 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007760e8e0 5 bytes JMP 0000000077770350 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007760e940 5 bytes JMP 0000000077770290 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007760e990 5 bytes JMP 00000000777702b0 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007760e9c0 5 bytes JMP 0000000077770370 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007760e9d0 5 bytes JMP 0000000077770330 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007760ecc0 5 bytes JMP 0000000077770430 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007760eec0 1 byte JMP 0000000077770250 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007760eec2 3 bytes {JMP 0x161390} .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007760eed0 1 byte JMP 0000000077770260 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007760eed2 3 bytes {JMP 0x161390} .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007760eee0 5 bytes JMP 00000000777703f0 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007760f0a0 5 bytes JMP 00000000777701e0 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007760f0b0 5 bytes JMP 0000000077770200 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007760f120 5 bytes JMP 00000000777701f0 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007760f180 1 byte JMP 0000000077770410 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 000000007760f182 3 bytes {JMP 0x161290} .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007760f190 1 byte JMP 0000000077770420 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 000000007760f192 3 bytes {JMP 0x161290} .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007760f1a0 5 bytes JMP 0000000077770210 .text C:\Users\Niiesmiertelny\Desktop\Nowy folder\FRST64.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007760f280 5 bytes JMP 0000000077770270 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001068e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001068c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001069614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001069a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800106986c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\aa9li5xe \Device\Scsi\aa9li5xe1 fffffa8004d3b2c0 Device \FileSystem\Ntfs \Ntfs fffffa80036aa2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{662EB87E-0D96-4F65-A622-54F328EA8B6B} fffffa80049f32c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa8004a662c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8004a662c0 Device \Driver\nvstor64 \Device\00000070 fffffa80036a62c0 Device \Driver\nvstor64 \Device\RaidPort0 fffffa80036a62c0 Device \Driver\cdrom \Device\CdRom0 fffffa80049012c0 Device \Driver\usbohci \Device\USBPDO-2 fffffa8004a5b2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8004a5b2c0 Device \Driver\nvstor64 \Device\00000071 fffffa80036a62c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa8004d4d2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{63815656-F5BE-4AF4-9C07-6533175BCFE9} fffffa80049f32c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa8004a662c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8004a662c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80049f32c0 Device \Driver\nvstor64 \Device\ScsiPort0 fffffa80036a62c0 Device \Driver\usbohci \Device\USBFDO-2 fffffa8004a5b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{2DE4FBF5-845B-4EB7-B9A1-8BB24B9E1608} fffffa80049f32c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8004a5b2c0 Device \Driver\aa9li5xe \Device\ScsiPort1 fffffa8004d3b2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80036a62c0]<< sptd.sys storport.sys hal.dll nvstor64.sys fffffa80036a62c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800462c370] fffffa800462c370 Trace 3 CLASSPNP.SYS[fffff88001a9543f] -> nt!IofCallDriver -> [0xfffffa800480ce40] fffffa800480ce40 Trace 5 ACPI.sys[fffff8800118f7a1] -> nt!IofCallDriver -> \Device\00000070[0xfffffa80044db170] fffffa80044db170 Trace \Driver\nvstor64[0xfffffa80036d1500] -> IRP_MJ_CREATE -> 0xfffffa80036a62c0 fffffa80036a62c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\aa9li5xe.SYS fffff88004d96000-fffff88004de7000 (331776 bytes) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\111111111111 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\111111111111@0022982ef1a2 0x1F 0xC3 0xC0 0xE6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\111111111111@d051629baad8 0xF9 0xA4 0x39 0x35 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\111111111111 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\111111111111@0022982ef1a2 0x1F 0xC3 0xC0 0xE6 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\111111111111@d051629baad8 0xF9 0xA4 0x39 0x35 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Niiesmiertelny\AppData\Local\Logitech\xae Webcam Software\Logishrd\LU2.0\LogitechUpdate.exe 1 ---- EOF - GMER 2.1 ----