GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-28 18:50:42 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ADATA_SP550 rev.O0803B5a 111,79GB Running: vie890o4.exe; Driver: C:\Users\1234\AppData\Local\Temp\aftcraob.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000049cc0480 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000049cc0470 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000049cc0360 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000049cc0490 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000049cc03d0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000049cc0310 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000049cc03a0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000049cc0380 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000049cc02d0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000049cc02c0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0xffffffffd2ec2a90} .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000049cc0300 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000049cc03b0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000049cc0440 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000049cc03e0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000049cc0220 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000049cc04a0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000049cc0390 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000049cc02e0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000049cc0340 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000049cc0280 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000049cc02a0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0xffffffffd2ec2490} .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000049cc03c0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0xffffffffd2ec2590} .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000049cc0320 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000049cc0410 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000049cc0230 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000049cc03f0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000049cc01d0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000049cc0240 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000049cc04b0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000049cc04c0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000049cc02f0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000049cc0350 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000049cc0290 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000049cc02b0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000049cc0370 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000049cc0330 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000049cc0460 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000049cc0420 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000049cc0250 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0xffffffffd2ec1990} .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000049cc0260 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0xffffffffd2ec1990} .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000049cc0400 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000049cc01e0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000049cc0200 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000049cc01f0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000049cc0430 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000049cc0450 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000049cc0210 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000049cc0270 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000049cc0480 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000049cc0470 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000049cc0360 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000049cc0490 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000049cc03d0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000049cc0310 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000049cc03a0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000049cc0380 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000049cc02d0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000049cc02c0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0xffffffffd2ec2a90} .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000049cc0300 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000049cc03b0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000049cc0440 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000049cc03e0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000049cc0220 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000049cc04a0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000049cc0390 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000049cc02e0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000049cc0340 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000049cc0280 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000049cc02a0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0xffffffffd2ec2490} .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000049cc03c0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0xffffffffd2ec2590} .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000049cc0320 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000049cc0410 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000049cc0230 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000049cc03f0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000049cc01d0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000049cc0240 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000049cc04b0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000049cc04c0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000049cc02f0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000049cc0350 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000049cc0290 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000049cc02b0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000049cc0370 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000049cc0330 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000049cc0460 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000049cc0420 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000049cc0250 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0xffffffffd2ec1990} .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000049cc0260 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0xffffffffd2ec1990} .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000049cc0400 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000049cc01e0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000049cc0200 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000049cc01f0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000049cc0430 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000049cc0450 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000049cc0210 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000049cc0270 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000076f60480 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000076f60470 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000076f60360 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000076f60490 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000076f603d0 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000076f60310 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000076f603a0 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000076f60380 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000076f602d0 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000076f602c0 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0x162a90} .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000076f60300 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000076f603b0 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000076f60440 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000076f603e0 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000076f60220 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000076f604a0 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000076f60390 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000076f602e0 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000076f60340 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000076f60280 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000076f602a0 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0x162490} .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000076f603c0 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0x162590} .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000076f60320 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000076f60410 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000076f60230 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000076f603f0 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000076f601d0 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000076f60240 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000076f604b0 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000076f604c0 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000076f602f0 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000076f60350 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000076f60290 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000076f602b0 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000076f60370 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000076f60330 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000076f60460 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000076f60420 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000076f60250 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0x161990} .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000076f60260 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0x161990} .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000076f60400 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000076f601e0 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000076f60200 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000076f601f0 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000076f60430 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000076f60450 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000076f60210 .text C:\Windows\system32\services.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000076f60270 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000076f60480 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000076f60470 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000076f60360 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000076f60490 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000076f603d0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000076f60310 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000076f603a0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000076f60380 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000076f602d0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000076f602c0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0x162a90} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000076f60300 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000076f603b0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000076f60440 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000076f603e0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000076f60220 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000076f604a0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000076f60390 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000076f602e0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000076f60340 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000076f60280 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000076f602a0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0x162490} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000076f603c0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0x162590} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000076f60320 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000076f60410 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000076f60230 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000076f603f0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000076f601d0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000076f60240 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000076f604b0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000076f604c0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000076f602f0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000076f60350 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000076f60290 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000076f602b0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000076f60370 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000076f60330 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000076f60460 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000076f60420 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000076f60250 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0x161990} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000076f60260 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0x161990} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000076f60400 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000076f601e0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000076f60200 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000076f601f0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000076f60430 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000076f60450 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000076f60210 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000076f60270 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000076f60480 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000076f60470 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000076f60360 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000076f60490 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000076f603d0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000076f60310 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000076f603a0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000076f60380 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000076f602d0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000076f602c0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0x162a90} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000076f60300 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000076f603b0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000076f60440 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000076f603e0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000076f60220 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000076f604a0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000076f60390 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000076f602e0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000076f60340 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000076f60280 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000076f602a0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000076f603c0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0x162590} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000076f60320 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000076f60410 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000076f60230 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000076f603f0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000076f601d0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000076f60240 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000076f604b0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000076f604c0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000076f602f0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000076f60350 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000076f60290 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000076f602b0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000076f60370 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000076f60330 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000076f60460 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000076f60420 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000076f60250 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0x161990} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000076f60260 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0x161990} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000076f60400 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000076f601e0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000076f60200 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000076f601f0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000076f60430 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000076f60450 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000076f60210 .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000076f60270 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000076f60480 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000076f60470 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000076f60360 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000076f60490 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000076f603d0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000076f60310 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000076f603a0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000076f60380 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000076f602d0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000076f602c0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0x162a90} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000076f60300 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000076f603b0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000076f60440 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000076f603e0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000076f60220 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000076f604a0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000076f60390 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000076f602e0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000076f60340 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000076f60280 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000076f602a0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000076f603c0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0x162590} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000076f60320 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000076f60410 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000076f60230 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000076f603f0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000076f601d0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000076f60240 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000076f604b0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000076f604c0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000076f602f0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000076f60350 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000076f60290 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000076f602b0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000076f60370 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000076f60330 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000076f60460 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000076f60420 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000076f60250 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0x161990} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000076f60260 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0x161990} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000076f60400 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000076f601e0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000076f60200 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000076f601f0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000076f60430 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000076f60450 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000076f60210 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000076f60270 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000076f60480 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000076f60470 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000076f60360 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000076f60490 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000076f603d0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000076f60310 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000076f603a0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000076f60380 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000076f602d0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000076f602c0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0x162a90} .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000076f60300 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000076f603b0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000076f60440 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000076f603e0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000076f60220 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000076f604a0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000076f60390 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000076f602e0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000076f60340 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000076f60280 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000076f602a0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000076f603c0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0x162590} .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000076f60320 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000076f60410 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000076f60230 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000076f603f0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000076f601d0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000076f60240 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000076f604b0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000076f604c0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000076f602f0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000076f60350 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000076f60290 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000076f602b0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000076f60370 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000076f60330 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000076f60460 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000076f60420 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000076f60250 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0x161990} .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000076f60260 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0x161990} .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000076f60400 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000076f601e0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000076f60200 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000076f601f0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000076f60430 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000076f60450 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000076f60210 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000076f60270 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000076f60480 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000076f60470 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000076f60360 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000076f60490 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000076f603d0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000076f60310 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000076f603a0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000076f60380 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000076f602d0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000076f602c0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0x162a90} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000076f60300 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000076f603b0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000076f60440 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000076f603e0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000076f60220 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000076f604a0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000076f60390 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000076f602e0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000076f60340 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000076f60280 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000076f602a0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000076f603c0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0x162590} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000076f60320 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000076f60410 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000076f60230 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000076f603f0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000076f601d0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000076f60240 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000076f604b0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000076f604c0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000076f602f0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000076f60350 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000076f60290 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000076f602b0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000076f60370 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000076f60330 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000076f60460 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000076f60420 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000076f60250 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0x161990} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000076f60260 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0x161990} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000076f60400 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000076f601e0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000076f60200 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000076f601f0 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000076f60430 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000076f60450 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000076f60210 .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000076f60270 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000076f60480 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000076f60470 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000076f60360 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000076f60490 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000076f603d0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000076f60310 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000076f603a0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000076f60380 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000076f602d0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000076f602c0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0x162a90} .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000076f60300 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000076f603b0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000076f60440 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000076f603e0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000076f60220 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000076f604a0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000076f60390 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000076f602e0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000076f60340 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000076f60280 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000076f602a0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000076f603c0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0x162590} .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000076f60320 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000076f60410 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000076f60230 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000076f603f0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000076f601d0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000076f60240 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000076f604b0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000076f604c0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000076f602f0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000076f60350 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000076f60290 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000076f602b0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000076f60370 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000076f60330 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000076f60460 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000076f60420 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000076f60250 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0x161990} .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000076f60260 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0x161990} .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000076f60400 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000076f601e0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000076f60200 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000076f601f0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000076f60430 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000076f60450 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000076f60210 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000076f60270 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000076f60480 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000076f60470 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000076f60360 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000076f60490 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000076f603d0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000076f60310 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000076f603a0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000076f60380 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000076f602d0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000076f602c0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0x162a90} .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000076f60300 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000076f603b0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000076f60440 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000076f603e0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000076f60220 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000076f604a0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000076f60390 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000076f602e0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000076f60340 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000076f60280 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000076f602a0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000076f603c0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0x162590} .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000076f60320 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000076f60410 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000076f60230 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000076f603f0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000076f601d0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000076f60240 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000076f604b0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000076f604c0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000076f602f0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000076f60350 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000076f60290 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000076f602b0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000076f60370 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000076f60330 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000076f60460 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000076f60420 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000076f60250 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0x161990} .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000076f60260 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0x161990} .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000076f60400 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000076f601e0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000076f60200 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000076f601f0 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000076f60430 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000076f60450 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000076f60210 .text C:\Windows\system32\svchost.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000076f60270 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000076f60480 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000076f60470 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000076f60360 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000076f60490 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000076f603d0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000076f60310 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000076f603a0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000076f60380 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000076f602d0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000076f602c0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0x162a90} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000076f60300 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000076f603b0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000076f60440 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000076f603e0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000076f60220 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000076f604a0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000076f60390 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000076f602e0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000076f60340 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000076f60280 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000076f602a0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000076f603c0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0x162590} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000076f60320 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000076f60410 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000076f60230 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000076f603f0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000076f601d0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000076f60240 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000076f604b0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000076f604c0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000076f602f0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000076f60350 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000076f60290 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000076f602b0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000076f60370 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000076f60330 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000076f60460 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000076f60420 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000076f60250 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0x161990} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000076f60260 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0x161990} .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000076f60400 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000076f601e0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000076f60200 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000076f601f0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000076f60430 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000076f60450 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000076f60210 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000076f60270 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000076f60480 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000076f60470 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000076f60360 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000076f60490 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000076f603d0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000076f60310 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000076f603a0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000076f60380 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000076f602d0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000076f602c0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0x162a90} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000076f60300 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000076f603b0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000076f60440 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000076f603e0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000076f60220 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000076f604a0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000076f60390 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000076f602e0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000076f60340 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000076f60280 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000076f602a0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000076f603c0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0x162590} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000076f60320 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000076f60410 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000076f60230 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000076f603f0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000076f601d0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000076f60240 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000076f604b0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000076f604c0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000076f602f0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000076f60350 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000076f60290 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000076f602b0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000076f60370 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000076f60330 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000076f60460 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000076f60420 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000076f60250 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0x161990} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000076f60260 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0x161990} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000076f60400 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000076f601e0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000076f60200 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000076f601f0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000076f60430 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000076f60450 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000076f60210 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000076f60270 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000000070480 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000000070470 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000000070360 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000000070490 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000000070310 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000000070380 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 00000000000702c0 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0xffffffff89272a90} .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000000070300 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000000070440 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000000070220 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000000070390 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000000070340 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000000070280 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 00000000000702a0 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0xffffffff89272490} .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 00000000000703c0 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0xffffffff89272590} .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000000070320 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000000070410 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000000070230 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 00000000000703f0 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 00000000000701d0 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000000070240 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 00000000000704b0 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 00000000000704c0 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000000070350 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000000070290 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000000070370 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000000070330 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000000070460 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000000070420 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000000070250 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0xffffffff89271990} .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000000070260 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0xffffffff89271990} .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000000070400 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000000070200 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000000070430 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000000070450 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000000070210 .text C:\Windows\System32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000076f60480 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000076f60470 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000076f60360 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000076f60490 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000076f603d0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000076f60310 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000076f603a0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000076f60380 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000076f602d0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000076f602c0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0x162a90} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000076f60300 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000076f603b0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000076f60440 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000076f603e0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000076f60220 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000076f604a0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000076f60390 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000076f602e0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000076f60340 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000076f60280 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000076f602a0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000076f603c0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0x162590} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000076f60320 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000076f60410 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000076f60230 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000076f603f0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000076f601d0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000076f60240 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000076f604b0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000076f604c0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000076f602f0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000076f60350 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000076f60290 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000076f602b0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000076f60370 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000076f60330 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000076f60460 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000076f60420 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000076f60250 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0x161990} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000076f60260 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0x161990} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000076f60400 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000076f601e0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000076f60200 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000076f601f0 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000076f60430 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000076f60450 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000076f60210 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000076f60270 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000076f60480 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000076f60470 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000076f60360 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000076f60490 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000076f603d0 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000076f60310 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000076f603a0 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000076f60380 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000076f602d0 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000076f602c0 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0x162a90} .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000076f60300 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000076f603b0 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000076f60440 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000076f603e0 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000076f60220 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000076f604a0 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000076f60390 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000076f602e0 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000076f60340 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000076f60280 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000076f602a0 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000076f603c0 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0x162590} .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000076f60320 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000076f60410 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000076f60230 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000076f603f0 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000076f601d0 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000076f60240 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000076f604b0 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000076f604c0 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000076f602f0 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000076f60350 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000076f60290 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000076f602b0 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000076f60370 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000076f60330 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000076f60460 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000076f60420 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000076f60250 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0x161990} .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000076f60260 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0x161990} .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000076f60400 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000076f601e0 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000076f60200 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000076f601f0 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000076f60430 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000076f60450 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000076f60210 .text C:\Windows\System32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000076f60270 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000076f60480 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000076f60470 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000076f60360 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000076f60490 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000076f603d0 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000076f60310 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000076f603a0 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000076f60380 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000076f602d0 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000076f602c0 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0x162a90} .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000076f60300 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000076f603b0 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000076f60440 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000076f603e0 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000076f60220 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000076f604a0 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000076f60390 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000076f602e0 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000076f60340 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000076f60280 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000076f602a0 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0x162490} .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000076f603c0 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0x162590} .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000076f60320 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000076f60410 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000076f60230 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000076f603f0 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000076f601d0 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000076f60240 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000076f604b0 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000076f604c0 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000076f602f0 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000076f60350 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000076f60290 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000076f602b0 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000076f60370 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000076f60330 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000076f60460 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000076f60420 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000076f60250 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0x161990} .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000076f60260 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0x161990} .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000076f60400 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000076f601e0 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000076f60200 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000076f601f0 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000076f60430 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000076f60450 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000076f60210 .text C:\Windows\system32\taskhost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000076f60270 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000076f60480 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000076f60470 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000076f60360 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000076f60490 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000076f603d0 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000076f60310 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000076f603a0 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000076f60380 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000076f602d0 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000076f602c0 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0x162a90} .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000076f60300 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000076f603b0 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000076f60440 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000076f603e0 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000076f60220 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000076f604a0 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000076f60390 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000076f602e0 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000076f60340 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000076f60280 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000076f602a0 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0x162490} .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000076f603c0 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0x162590} .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000076f60320 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000076f60410 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000076f60230 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000076f603f0 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000076f601d0 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000076f60240 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000076f604b0 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000076f604c0 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000076f602f0 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000076f60350 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000076f60290 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000076f602b0 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000076f60370 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000076f60330 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000076f60460 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000076f60420 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000076f60250 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0x161990} .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000076f60260 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0x161990} .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000076f60400 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000076f601e0 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000076f60200 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000076f601f0 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000076f60430 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000076f60450 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000076f60210 .text C:\Windows\Explorer.EXE[2556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000076f60270 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000076f60480 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000076f60470 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000076f60360 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000076f60490 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000076f603d0 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000076f60310 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000076f603a0 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000076f60380 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000076f602d0 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000076f602c0 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0x162a90} .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000076f60300 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000076f603b0 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000076f60440 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000076f603e0 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000076f60220 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000076f604a0 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000076f60390 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000076f602e0 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000076f60340 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000076f60280 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000076f602a0 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0x162490} .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000076f603c0 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0x162590} .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000076f60320 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000076f60410 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000076f60230 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000076f603f0 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000076f601d0 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000076f60240 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000076f604b0 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000076f604c0 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000076f602f0 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000076f60350 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000076f60290 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000076f602b0 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000076f60370 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000076f60330 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000076f60460 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000076f60420 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000076f60250 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0x161990} .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000076f60260 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0x161990} .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000076f60400 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000076f601e0 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000076f60200 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000076f601f0 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000076f60430 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000076f60450 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000076f60210 .text C:\Windows\System32\taskmgr.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000076f60270 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000076f60480 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000076f60470 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000076f60360 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000076f60490 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000076f603d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000076f60310 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000076f603a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000076f60380 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000076f602d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000076f602c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0x162a90} .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000076f60300 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000076f603b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000076f60440 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000076f603e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000076f60220 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000076f604a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000076f60390 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000076f602e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000076f60340 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000076f60280 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000076f602a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0x162490} .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000076f603c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0x162590} .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000076f60320 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000076f60410 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000076f60230 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000076f603f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000076f601d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000076f60240 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000076f604b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000076f604c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000076f602f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000076f60350 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000076f60290 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000076f602b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000076f60370 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000076f60330 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000076f60460 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000076f60420 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000076f60250 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0x161990} .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000076f60260 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0x161990} .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000076f60400 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000076f601e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000076f60200 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000076f601f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000076f60430 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000076f60450 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000076f60210 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000076f60270 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000000070480 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000000070470 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000000070360 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000000070490 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000000070310 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000000070380 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 00000000000702c0 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0xffffffff89272a90} .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000000070300 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000000070440 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000000070220 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000000070390 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000000070340 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000000070280 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 00000000000702a0 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0xffffffff89272490} .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 00000000000703c0 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0xffffffff89272590} .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000000070320 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000000070410 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000000070230 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 00000000000703f0 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 00000000000701d0 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000000070240 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 00000000000704b0 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 00000000000704c0 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000000070350 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000000070290 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000000070370 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000000070330 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000000070460 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000000070420 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000000070250 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0xffffffff89271990} .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000000070260 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0xffffffff89271990} .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000000070400 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000000070200 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000000070430 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000000070450 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000000070210 .text C:\Windows\System32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000000070270 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000076f60480 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000076f60470 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000076f60360 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000076f60490 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000076f603d0 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000076f60310 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000076f603a0 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000076f60380 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000076f602d0 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000076f602c0 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0x162a90} .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000076f60300 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000076f603b0 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000076f60440 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000076f603e0 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000076f60220 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000076f604a0 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000076f60390 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000076f602e0 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000076f60340 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000076f60280 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000076f602a0 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0x162490} .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000076f603c0 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0x162590} .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000076f60320 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000076f60410 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000076f60230 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000076f603f0 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000076f601d0 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000076f60240 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000076f604b0 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000076f604c0 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000076f602f0 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000076f60350 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000076f60290 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000076f602b0 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000076f60370 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000076f60330 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000076f60460 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000076f60420 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000076f60250 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0x161990} .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000076f60260 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0x161990} .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000076f60400 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000076f601e0 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000076f60200 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000076f601f0 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000076f60430 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000076f60450 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000076f60210 .text C:\Windows\system32\taskhost.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000076f60270 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000076f60480 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000076f60470 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000076f60360 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000076f60490 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 0000000076f603d0 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000076f60310 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 0000000076f603a0 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000076f60380 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 0000000076f602d0 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 0000000076f602c0 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0x162a90} .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000076f60300 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 0000000076f603b0 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000076f60440 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 0000000076f603e0 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000076f60220 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 0000000076f604a0 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000076f60390 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 0000000076f602e0 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000076f60340 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000076f60280 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 0000000076f602a0 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0x162490} .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 0000000076f603c0 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0x162590} .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000076f60320 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000076f60410 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000076f60230 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 0000000076f603f0 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 0000000076f601d0 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000076f60240 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 0000000076f604b0 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 0000000076f604c0 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 0000000076f602f0 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000076f60350 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000076f60290 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 0000000076f602b0 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000076f60370 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000076f60330 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000076f60460 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000076f60420 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000076f60250 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0x161990} .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000076f60260 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0x161990} .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000076f60400 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 0000000076f601e0 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000076f60200 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 0000000076f601f0 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000076f60430 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000076f60450 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000076f60210 .text C:\Windows\system32\AUDIODG.EXE[5268] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000076f60270 .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000749f8791 5 bytes JMP 0000000059856c62 .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076206143 5 bytes JMP 000000005a55f8ac .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076383e59 5 bytes JMP 000000005988208c .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076383eae 5 bytes JMP 00000000598843ce .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076384731 5 bytes JMP 0000000059884170 .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076385dee 5 bytes JMP 00000000598b7921 .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f61401 2 bytes JMP 74a1b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f61419 2 bytes JMP 74a1b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f61431 2 bytes JMP 74a99011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f6144a 2 bytes CALL 749f48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f614dd 2 bytes JMP 74a9890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f614f5 2 bytes JMP 74a98ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f6150d 2 bytes JMP 74a98800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f61525 2 bytes JMP 74a98bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f6153d 2 bytes JMP 74a0fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f61555 2 bytes JMP 74a16907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f6156d 2 bytes JMP 74a990c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f61585 2 bytes JMP 74a98c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f6159d 2 bytes JMP 74a987c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f615b5 2 bytes JMP 74a0fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f615cd 2 bytes JMP 74a1b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f616b2 2 bytes JMP 74a98f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[6196] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f616bd 2 bytes JMP 74a98759 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dfd460 5 bytes JMP 0000000000070480 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dfd4b0 5 bytes JMP 0000000000070470 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dfd610 5 bytes JMP 0000000000070360 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dfd660 5 bytes JMP 0000000000070490 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dfd670 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dfd720 5 bytes JMP 0000000000070310 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dfd750 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dfd770 5 bytes JMP 0000000000070380 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dfd7b0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dfd830 1 byte JMP 00000000000702c0 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076dfd832 3 bytes {JMP 0xffffffff89272a90} .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dfd850 5 bytes JMP 0000000000070300 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dfd890 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dfd8d0 5 bytes JMP 0000000000070440 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dfd8e0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dfda40 5 bytes JMP 0000000000070220 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dfdc00 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dfdc30 5 bytes JMP 0000000000070390 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dfdd10 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dfdd20 5 bytes JMP 0000000000070340 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dfdd80 5 bytes JMP 0000000000070280 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dfde10 1 byte JMP 00000000000702a0 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dfde12 3 bytes {JMP 0xffffffff89272490} .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dfde30 1 byte JMP 00000000000703c0 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076dfde32 3 bytes {JMP 0xffffffff89272590} .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dfde40 5 bytes JMP 0000000000070320 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dfdeb0 5 bytes JMP 0000000000070410 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dfdee0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dfe080 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dfe1a0 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dfe260 5 bytes JMP 0000000000070240 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dfe290 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dfe2a0 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dfe2d0 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dfe2e0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dfe340 5 bytes JMP 0000000000070290 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dfe390 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dfe3c0 5 bytes JMP 0000000000070370 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dfe3d0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dfe6c0 5 bytes JMP 0000000000070460 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dfe820 5 bytes JMP 0000000000070420 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dfe8c0 1 byte JMP 0000000000070250 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076dfe8c2 3 bytes {JMP 0xffffffff89271990} .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dfe8d0 1 byte JMP 0000000000070260 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076dfe8d2 3 bytes {JMP 0xffffffff89271990} .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dfe8e0 5 bytes JMP 0000000000070400 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dfeaa0 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dfeab0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dfeb20 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dfeb80 5 bytes JMP 0000000000070430 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dfeb90 5 bytes JMP 0000000000070450 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dfeba0 5 bytes JMP 0000000000070210 .text C:\Windows\system32\notepad.exe[6508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dfec80 5 bytes JMP 0000000000070270 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00214f4e0876 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00214f4e0876 (not active ControlSet) ---- EOF - GMER 2.2 ----